Account enumeration via avatar endpoint

XMLWordPrintable

    • Type: Public Security Vulnerability
    • Resolution: Fixed
    • Priority: Low
    • 4.8.14
    • Affects Version/s: 4.8.0, 4.8.13
    • Component/s: None
    • None
    • 3.5

      Crucible users can configure their own avatars. Due to the fact that avatars endpoint was giving different responses for existing and non-existing users, it could have been used to perform account enumeration to get a list of valid usernames.

      In the fix the avatar service now returns same responses for existing and non-existing users.

              Assignee:
              Marek Parfianowicz (Inactive)
              Reporter:
              Marek Parfianowicz (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: