CVE-2021-44155

An issue was discovered in /goform/login_process in Reprise RLM 14.2. When an attacker attempts to login, the response if a username is valid includes Login Failed, but does not include this string if the username is invalid. This allows an attacker to enumerate valid users.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 75%
VendorProductVersion
reprisesoftwarereprise_license_manager
14.2 ≤
𝑥
< 15.1
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://packetstormsecurity.com/files/165182/Reprise-License-Manager-14.2-User-Enumeration.html
https://reprisesoftware.com/admin/rlm-admin-download.php?&euagree=yes
https://www.reprisesoftware.com/RELEASE_NOTES
http://packetstormsecurity.com/files/165182/Reprise-License-Manager-14.2-User-Enumeration.html
https://reprisesoftware.com/admin/rlm-admin-download.php?&euagree=yes
https://www.reprisesoftware.com/RELEASE_NOTES