Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-32425: [v1.0.0b] - Time based user enumeration in the /api/auth/token endpoint · Issue #1336 · hay-kot/mealie

The login function of Mealie v1.0.0beta-2 allows attackers to enumerate existing usernames by timing the server’s response time.

CVE
Open in Source
#vulnerability#linux#git#auth#docker

First Check

  • This is not a feature request
  • I added a very descriptive title to this issue.
  • I used the GitHub search to find a similar issue and didn’t find it.
  • I searched the Mealie documentation, with the integrated search.
  • I already read the docs and didn’t find an answer.

What is the issue you are experiencing?****Time-based user enumeration

The login functionality of Mealie allows an unauthenticated user to enumerate existing accounts by timing the server’s response time.

The average time it takes the API server to respond is significantly lower for non-existing users than existing users.

Impact

The impact on Mealie is low (3,7); there will only be a handful of users on any deployment of Mealie. I am assuming that the probability of finding valid usernames on a randomly exposed instance is low.

The attack complexity is high, and the impact on confidentiality is low.

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N - Low 3,7
https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

The vulnerability is related to CWE-203.

Fixes****Perform cryptographic operation

Is also possible to separate the logic of checking passwords and usernames inside the core/security/security.py into two different checks.

Then adding the verify_password function with some random invalid data to make sure that both checks will take a similar amount of time to complete

if not user:
    verify\_password("abc123cba321", "$2b$12$JdHtJOlkPFwyxdjdygEzPOtYmdQF5/R5tHxw5Tq8pxjubyLqdIX5i")
    return False

if not verify\_password(password, user.password):
    return False

Set minimum response time

A possible fix would be setting a minimal randomized time that is required before the auth function returns a response code. The time should be between the fastest and slowest time it takes to calculate and compare the password hash.

References

https://www.hacksplaining.com/prevention/user-enumeration
https://cwe.mitre.org/data/definitions/203.html
https://www.cvedetails.com/vulnerability-list/cweid-203/vulnerabilities.html

Deployment

Docker (Linux), Other

Deployment Details

No response

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE