CVE-2024-24770 — vantage6 vulnerable to a username timing attack on recover password/MFA token

Description

### Impact Much like https://github.com/vantage6/vantage6/security/advisories/GHSA-45gq-q4xh-cp53, it is possible to find which usernames exist in vantage6 by calling the API routes `/recover/lost` and `/2fa/lost`, which send emails to users if they have lost their password or MFA token. Usernames can be found by assessing response time differences, and additionally, they can be found because the endpoint gives a response "Failed to login" if the username exists. ### Patches No ### Workarounds No

How to fix CVE-2024-24770

To remediate CVE-2024-24770, upgrade the affected package to a fixed version below.

—upgrade to 4.3.0 or later

Is CVE-2024-24770 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 4.3.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-24770
PATCHgithub.com/vantage6/vantage6
WEBgithub.com/vantage6/vantage6/commit/aecfd6d0e83165a41a60ebd52d2287b0217be26b
WEBgithub.com/vantage6/vantage6/security/advisories/GHSA-45gq-q4xh-cp53