GHSA-j5v3-363p-g843

Source

https://github.com/advisories/GHSA-j5v3-363p-g843

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-j5v3-363p-g843/GHSA-j5v3-363p-g843.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-j5v3-363p-g843

Aliases

CVE-2022-40084

Published

2022-10-20T19:00:30Z

Modified

2023-11-01T04:59:53.173383Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

OpenCRX vulnerable to password enumeration via error messages in password reset

Details

OpenCRX before v5.2.2 was discovered to be vulnerable to password enumeration due to the difference in error messages received during a password reset which could enable an attacker to determine if a username, email or ID is valid.

Database specific

{
    "cwe_ids": [
        "CWE-203"
    ],
    "github_reviewed": true,
    "nvd_published_at": "2022-10-20T14:15:00Z",
    "severity": "MODERATE",
    "github_reviewed_at": "2022-10-24T18:51:43Z"
}

References

Affected packages

Maven / org.opencrx:opencrx-client

Package

Name: org.opencrx:opencrx-client; View open source insights on deps.dev
Purl: pkg:maven/org.opencrx/opencrx-client

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.2.2

Affected versions

4.*

4.3-alpha-1

4.3-alpha-2

4.3-alpha-3

4.3-alpha-4

4.3-alpha-5

4.3-alpha-6

4.3-alpha-7

4.3-alpha-8

4.3-alpha-9

4.3-alpha-10

4.3-alpha-11

4.3.0

5.*

5.0.0

5.0.1

5.1.0

5.2.0

5.2.1