| { |
| "schema_version": "1.3.1", |
| "id": "GO-2024-2615", |
| "modified": "0001-01-01T00:00:00Z", |
| "published": "0001-01-01T00:00:00Z", |
| "aliases": [ |
| "CVE-2024-24766", |
| "GHSA-c967-2652-gfjm" |
| ], |
| "summary": "Username enumeration in github.com/IceWhaleTech/CasaOS-UserService", |
| "details": "CasaOS-UserService is vulnerable to a username enumeration issue, when an attacker can enumerate the CasaOS username using the application response. If the username is incorrect, the application gives the error 'User does not exist'. If the password is incorrect, the application gives the error 'Invalid password'.", |
| "affected": [ |
| { |
| "package": { |
| "name": "github.com/IceWhaleTech/CasaOS-UserService", |
| "ecosystem": "Go" |
| }, |
| "ranges": [ |
| { |
| "type": "SEMVER", |
| "events": [ |
| { |
| "introduced": "0.4.4-3-alpha1" |
| }, |
| { |
| "fixed": "0.4.7" |
| } |
| ] |
| } |
| ], |
| "ecosystem_specific": { |
| "imports": [ |
| { |
| "path": "github.com/IceWhaleTech/CasaOS-UserService/route/v1", |
| "symbols": [ |
| "PostUserLogin", |
| "PutUserInfo" |
| ] |
| } |
| ] |
| } |
| } |
| ], |
| "references": [ |
| { |
| "type": "ADVISORY", |
| "url": "https://github.com/IceWhaleTech/CasaOS-UserService/security/advisories/GHSA-c967-2652-gfjm" |
| }, |
| { |
| "type": "FIX", |
| "url": "https://github.com/IceWhaleTech/CasaOS-UserService/commit/c75063d7ca5800948e9c09c0a6efe9809b5d39f7" |
| }, |
| { |
| "type": "WEB", |
| "url": "https://github.com/IceWhaleTech/CasaOS-UserService/releases/tag/v0.4.7" |
| } |
| ], |
| "credits": [ |
| { |
| "name": "DrDark1999" |
| } |
| ], |
| "database_specific": { |
| "url": "https://pkg.go.dev/vuln/GO-2024-2615" |
| } |
| } |
