{ "schema_version": "1.4.0", "id": "GHSA-2frx-j9hj-6c65", "modified": "2021-10-08T21:21:39Z", "published": "2021-05-17T20:52:21Z", "aliases": [], "summary": "User enumeration in authentication mechanisms", "details": "Description\n-----------\n\nThe ability to enumerate users was possible without relevant permissions due to different exception messages depending on whether the user existed or not. \n\nResolution\n----------\n\nWe now ensure that a generic message is returned whether the user exists or not if the password is invalid or if the user does not exist.\n\nThe patch for this issue is available [here](https://github.com/lexik/LexikJWTAuthenticationBundle/commit/a175d6dab968d93e96a3e4f80c495435f71d5eb7) for branch 2.10.x and 2.x.\n\nCredits\n-------\n\nI would like to thank James Isaac and Mathias Brodala for reporting the issue and Robin Chalas for fixing the issue.", "severity": [], "affected": [ { "package": { "ecosystem": "Packagist", "name": "lexik/jwt-authentication-bundle" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "2.10.7" } ] } ] }, { "package": { "ecosystem": "Packagist", "name": "lexik/jwt-authentication-bundle" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.11.0" }, { "fixed": "2.11.3" } ] } ] } ], "references": [ { "type": "WEB", "url": "https://github.com/lexik/LexikJWTAuthenticationBundle/security/advisories/GHSA-2frx-j9hj-6c65" }, { "type": "WEB", "url": "https://github.com/lexik/LexikJWTAuthenticationBundle/commit/a175d6dab968d93e96a3e4f80c495435f71d5eb7" }, { "type": "WEB", "url": "https://github.com/lexik/LexikJWTAuthenticationBundle" } ], "database_specific": { "cwe_ids": [ "CWE-200" ], "severity": "LOW", "github_reviewed": true, "github_reviewed_at": "2021-05-17T19:20:17Z", "nvd_published_at": null } }