GHSA-j5v3-363p-g843

Suggest an improvement
Source
https://github.com/advisories/GHSA-j5v3-363p-g843
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-j5v3-363p-g843/GHSA-j5v3-363p-g843.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-j5v3-363p-g843
Aliases
Published
2022-10-20T19:00:30Z
Modified
2023-11-01T04:59:53.173383Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
OpenCRX vulnerable to password enumeration via error messages in password reset
Details

OpenCRX before v5.2.2 was discovered to be vulnerable to password enumeration due to the difference in error messages received during a password reset which could enable an attacker to determine if a username, email or ID is valid.

Database specific 
{
    "github_reviewed": true,
    "github_reviewed_at": "2022-10-24T18:51:43Z",
    "cwe_ids": [
        "CWE-203"
    ],
    "nvd_published_at": "2022-10-20T14:15:00Z",
    "severity": "MODERATE"
}
References

Affected packages

Maven / org.opencrx:opencrx-client

Package

Name
org.opencrx:opencrx-client
View open source insights on deps.dev
Purl
pkg:maven/org.opencrx/opencrx-client

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.2.2

Affected versions

4.*

4.3-alpha-1
4.3-alpha-2
4.3-alpha-3
4.3-alpha-4
4.3-alpha-5
4.3-alpha-6
4.3-alpha-7
4.3-alpha-8
4.3-alpha-9
4.3-alpha-10
4.3-alpha-11
4.3.0

5.*

5.0.0
5.0.1
5.1.0
5.2.0
5.2.1