5.3 MEDIUM
- CVSS version: 3.1
- Attack vector (AV): NETWORK
- Attack complexity (AC): LOW
- Privileges required (PR): NONE
- User interaction (UI): NONE
- Scope (S): UNCHANGED
- Confidentiality impact (C): LOW
- Integrity impact (I): NONE
- Availability impact (A): NONE
by @LeSuisse Activity log
- Created automatic suggestion
- @LeSuisse removed package python312Packages.filebrowser-safe
- @LeSuisse removed package python313Packages.filebrowser-safe
- @LeSuisse removed maintainer @prikhi
- @LeSuisse accepted
- @LeSuisse published on GitHub
File Browser vulnerable to Username Enumeration via Timing Attack in /api/login
File Browser provides a file managing interface within a specified directory and can be used to upload, delete, preview, rename, and edit files. Prior to version 2.55.0, the JSONAuth. Auth function contains a logic flaw that allows unauthenticated attackers to enumerate valid usernames by measuring the response time of the /api/login endpoint. The vulnerability exists due to a "short-circuit" evaluation in the authentication logic. When a username is not found in the database, the function returns immediately. However, if the username does exist, the code proceeds to verify the password using bcrypt (users.CheckPwd), which is a computationally expensive operation designed to be slow. This difference in execution path creates a measurable timing discrepancy. Version 2.55.0 contains a patch for the issue.
References
Affected products
- ==< 2.55.0
Matching in nixpkgs
pkgs.filebrowser
Filebrowser is a web application for managing files and directories
Package maintainers
-
@HritwikSinghal Hritwik Singhal <nix@thorin.theoakenshield.com>