Headline
GHSA-89p3-9j8c-fqh4: User account enumeration in eZ Publish Ibexa Kernel
This Security Advisory is about a vulnerability in eZ Platform v1.13, v2.5, and v3.2, and in Ibexa DXP and Ibexa Open Source v3.3. The /user/sessions endpoint can let an attacker detect if a given username or email refers to a valid account. This can be detected through differences in the response data or response time of certain requests. The fix ensures neither attack is possible. The fix is distributed via Composer.
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2021-46876
User account enumeration in eZ Publish Ibexa Kernel
High severity GitHub Reviewed Published Mar 12, 2023 to the GitHub Advisory Database • Updated Mar 13, 2023
Package
composer ezsystems/ezpublish-kernel (Composer)
Affected versions
>= 6.13.0, < 6.13.8.1
>= 7.5.0, < 7.5.15.1
Patched versions
6.13.8.1
7.5.15.1
This Security Advisory is about a vulnerability in eZ Platform v1.13, v2.5, and v3.2, and in Ibexa DXP and Ibexa Open Source v3.3. The /user/sessions endpoint can let an attacker detect if a given username or email refers to a valid account. This can be detected through differences in the response data or response time of certain requests. The fix ensures neither attack is possible. The fix is distributed via Composer.
References
- GHSA-gmrf-99gw-vvwj
- https://nvd.nist.gov/vuln/detail/CVE-2021-46876
- ezsystems/ezpublish-kernel@b496f07
Published by the National Vulnerability Database
Mar 12, 2023
Published to the GitHub Advisory Database
Mar 12, 2023
Last updated
Mar 13, 2023
Related news
An issue was discovered in eZ Publish Ibexa Kernel before 7.5.15.1. The /user/sessions endpoint can be abused to determine account existence.