CVE-2024-24766
CasaOS Username Enumeration
In short
CasaOS login page reveals whether a username exists or not based on different error messages. This allows attackers to discover valid usernames, making it easier to target accounts with password attacks.
Technical detail
Username enumeration vulnerability in CasaOS-UserService (versions 0.4.4.3 to 0.4.6) arising from distinct error messages during authentication attempts (CWE-204). An attacker can differentiate between invalid usernames and incorrect passwords through application responses, enabling systematic user enumeration without authentication. Mitigated in version 0.4.7.
Summary generated and translated by AI from the official description.
CasaOS-UserService provides user management functionalities to CasaOS. Starting in version 0.4.4.3 and prior to version 0.4.7, the Casa OS Login page disclosed the username enumeration vulnerability in the login page. An attacker can enumerate the CasaOS username using the application response. If the username is incorrect application gives the error `**User does not exist**`. If the password is incorrect application gives the error `**Invalid password**`. Version 0.4.7 fixes this issue.
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Affected products
IceWhaleTech · CasaOS-UserServiceWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://github.com/IceWhaleTech/CasaOS-UserService/commit/c75063d7ca5800948e9c09c0a6efe9809b5d39f7https://github.com/IceWhaleTech/CasaOS-UserService/releases/tag/v0.4.7https://github.com/IceWhaleTech/CasaOS-UserService/security/advisories/GHSA-c967-2652-gfjmhttps://github.com/IceWhaleTech/CasaOS-UserService/security/advisories/GHSA-hcw2-2r9c-gc6p