CVE-2024-24766
EUVD-2024-089806.03.2024, 19:15
CasaOS-UserService provides user management functionalities to CasaOS. Starting in version 0.4.4.3 and prior to version 0.4.7, the Casa OS Login page disclosed the username enumeration vulnerability in the login page. An attacker can enumerate the CasaOS username using the application response. If the username is incorrect application gives the error `**User does not exist**`. If the password is incorrect application gives the error `**Invalid password**`. Version 0.4.7 fixes this issue.Enginsight
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| icewhale | casaos-userservice | 0.4.4-3 ≤ 𝑥 ≤ 0.4.7 |
𝑥
= Vulnerable software versions
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
| Vendor | Product | Version | Source |
|---|---|---|---|
| icewhaletech | casaos-userservice | 0.4.4.3 ≤ 𝑥 < 0.4.7 | ADP |
Common Weakness Enumeration
- CWE-204 - Observable Response DiscrepancyThe product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere.
- CWE-203 - Observable DiscrepancyThe product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not.
References