Description
Performing a login request against the /api/v1/user/login endpoint with a username that exist in the system takes significantly longer than performing the same action with a username that is not known by the system.
Impact
The observable difference in request duration can be leveraged by actors to enumerate valid names of managed users. LDAP and OpenID Connect users are not affected.
Patches
The issue has been fixed in Dependency-Track 4.12.2.
Workarounds
Failed login attempts are logged, for example:
Unauthorized login attempt / invalid credentials / username: admin / IP Address: [0:0:0:0:0:0:0:1] / User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:132.0) Gecko/20100101 Firefox/132.0
A solution like fail2ban may be used to block clients that produce many such events.
If logs are shipped to a centralized log aggregator, the same pattern may be used to issue alerts.
Credit
Thanks to Hannes Michel at Basalt IT-security team for finding and responsibly disclosing the issue.
Description
Performing a login request against the
/api/v1/user/loginendpoint with a username that exist in the system takes significantly longer than performing the same action with a username that is not known by the system.Impact
The observable difference in request duration can be leveraged by actors to enumerate valid names of managed users. LDAP and OpenID Connect users are not affected.
Patches
The issue has been fixed in Dependency-Track 4.12.2.
Workarounds
Failed login attempts are logged, for example:
A solution like fail2ban may be used to block clients that produce many such events.
If logs are shipped to a centralized log aggregator, the same pattern may be used to issue alerts.
Credit
Thanks to Hannes Michel at Basalt IT-security team for finding and responsibly disclosing the issue.