data/reports: add GO-2024-2615.yaml
Aliases: CVE-2024-24766, GHSA-c967-2652-gfjm
Fixes golang/vulndb#2615
Change-Id: I0ca3d9597991981246d9ec45b09043e0b656f1bc
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/570722
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
diff --git a/data/osv/GO-2024-2615.json b/data/osv/GO-2024-2615.json
new file mode 100644
index 0000000..ff8d1d2
--- /dev/null
+++ b/data/osv/GO-2024-2615.json
@@ -0,0 +1,66 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2024-2615",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2024-24766",
+ "GHSA-c967-2652-gfjm"
+ ],
+ "summary": "Username enumeration in github.com/IceWhaleTech/CasaOS-UserService",
+ "details": "CasaOS-UserService is vulnerable to a username enumeration issue, when an attacker can enumerate the CasaOS username using the application response. If the username is incorrect, the application gives the error 'User does not exist'. If the password is incorrect, the application gives the error 'Invalid password'.",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/IceWhaleTech/CasaOS-UserService",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0.4.4-3-alpha1"
+ },
+ {
+ "fixed": "0.4.7"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {
+ "imports": [
+ {
+ "path": "github.com/IceWhaleTech/CasaOS-UserService/route/v1",
+ "symbols": [
+ "PostUserLogin",
+ "PutUserInfo"
+ ]
+ }
+ ]
+ }
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/IceWhaleTech/CasaOS-UserService/security/advisories/GHSA-c967-2652-gfjm"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/IceWhaleTech/CasaOS-UserService/commit/c75063d7ca5800948e9c09c0a6efe9809b5d39f7"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/IceWhaleTech/CasaOS-UserService/releases/tag/v0.4.7"
+ }
+ ],
+ "credits": [
+ {
+ "name": "DrDark1999"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2024-2615"
+ }
+}
\ No newline at end of file
diff --git a/data/reports/GO-2024-2615.yaml b/data/reports/GO-2024-2615.yaml
new file mode 100644
index 0000000..188dbdf
--- /dev/null
+++ b/data/reports/GO-2024-2615.yaml
@@ -0,0 +1,29 @@
+id: GO-2024-2615
+modules:
+ - module: github.com/IceWhaleTech/CasaOS-UserService
+ versions:
+ - introduced: 0.4.4-3-alpha1
+ fixed: 0.4.7
+ vulnerable_at: 0.4.6-alpha3
+ packages:
+ - package: github.com/IceWhaleTech/CasaOS-UserService/route/v1
+ symbols:
+ - PutUserInfo
+ - PostUserLogin
+summary: Username enumeration in github.com/IceWhaleTech/CasaOS-UserService
+description: |-
+ CasaOS-UserService is vulnerable to a username enumeration issue, when an
+ attacker can enumerate the CasaOS username using the application response. If
+ the username is incorrect, the application gives the error 'User does not
+ exist'. If the password is incorrect, the application gives the error 'Invalid
+ password'.
+cves:
+ - CVE-2024-24766
+ghsas:
+ - GHSA-c967-2652-gfjm
+credits:
+ - DrDark1999
+references:
+ - advisory: https://github.com/IceWhaleTech/CasaOS-UserService/security/advisories/GHSA-c967-2652-gfjm
+ - fix: https://github.com/IceWhaleTech/CasaOS-UserService/commit/c75063d7ca5800948e9c09c0a6efe9809b5d39f7
+ - web: https://github.com/IceWhaleTech/CasaOS-UserService/releases/tag/v0.4.7
