What is the severity of CVE-2024-54002?

The severity of CVE-2024-54002 is categorized as medium due to the potential impact on user authentication performance.

How do I fix CVE-2024-54002?

To fix CVE-2024-54002, update Dependency-Track to version 4.12.3 or later to mitigate the vulnerability.

What is the impact of CVE-2024-54002 on user authentication?

CVE-2024-54002 causes significant delays in user login requests, which can affect user experience and potentially lead to denial of service.

Is my system affected by CVE-2024-54002?

If you are using Dependency-Track versions prior to 4.12.3, your system is vulnerable to CVE-2024-54002.

What type of vulnerability is CVE-2024-54002?

CVE-2024-54002 is a performance-related vulnerability affecting the login functionality of the Dependency-Track software.

Vulnerability/
CVE-2024-54002

medium

5.3

CWE

203

4/12/2024

CVE-2024-54002: Dependency-Track allows enumeration of managed users via /api/v1/user/login endpoint

First published: Wed Dec 04 2024(Updated: )

Dependency-Track is a Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain. Performing a login request against the /api/v1/user/login endpoint with a username that exist in the system takes significantly longer than performing the same action with a username that is not known by the system. The observable difference in request duration can be leveraged by actors to enumerate valid names of managed users. LDAP and OpenID Connect users are not affected. The issue has been fixed in Dependency-Track 4.12.2.

Credit: security-advisories@github.com

Affected Software	Affected Version	How to fix
Dependency-Track	<4.12.2

Never miss a vulnerability like this again

Reference Links

https://github.com/DependencyTrack/dependency-track/security/advisories/GHSA-9w3m-hm36-w32w

Frequently Asked Questions

What is the severity of CVE-2024-54002?
The severity of CVE-2024-54002 is categorized as medium due to the potential impact on user authentication performance.
How do I fix CVE-2024-54002?
To fix CVE-2024-54002, update Dependency-Track to version 4.12.3 or later to mitigate the vulnerability.
What is the impact of CVE-2024-54002 on user authentication?
CVE-2024-54002 causes significant delays in user login requests, which can affect user experience and potentially lead to denial of service.
Is my system affected by CVE-2024-54002?
If you are using Dependency-Track versions prior to 4.12.3, your system is vulnerable to CVE-2024-54002.
What type of vulnerability is CVE-2024-54002?
CVE-2024-54002 is a performance-related vulnerability affecting the login functionality of the Dependency-Track software.

agent/weakness
agent/title
agent/references
agent/type
agent/first-publish-date
agent/description
collector/nvd-api
source/NVD
agent/severity
agent/author
agent/event
collector/mitre-cve
source/MITRE
agent/last-modified-date
agent/source
agent/softwarecombine
agent/tags
agent/guess-ai
agent/software-canonical-lookup
agent/software-canonical-lookup-request
vendor/dependency-track
canonical/dependency-track

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.