Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <4b31462747644c479fb2e956ccbc3a73@imshyb01.MITRE.ORG>
Date: Thu, 19 Jan 2017 20:16:01 -0500
From: <cve-assign@...re.org>
To: <jelle@...aa.nl>
CC: <cve-assign@...re.org>, <oss-security@...ts.openwall.com>
Subject: Re: CVE request Weblate: information disclosure in password reset form

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> Weblate contains an information disclosure issue in its password reset
> form. When entering an arbitrary email address in the password reset
> form Weblate will report back "User with this email address was not
> found." this makes it possible to figure out which user accounts exist
> on the weblate instance.
> 
> https://github.com/WeblateOrg/weblate/commit/abe0d2a29a1d8e896bfe829c8461bf8b391f1079
> https://github.com/WeblateOrg/weblate/issues/1317

Use CVE-2017-5537.

The scope of this CVE does not include the issues/1317 comment of "The
login form also does not seem to implement any rate-limiting which
makes it easy to bruteforce."

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJYgWSEAAoJEHb/MwWLVhi2ST0P+wQSbBTkZPtExrWkqyGADC+F
H0yp97rEg4imgEbLmHbzIpVG5xEd2htr6k1iaeE1WP8zUHNYmb6+mFM/wfDFl/nQ
lwMCYcMTN+fhSpoX88NBsiO1T4o6wZSZAPqxIYTS/R6QqI6jPnpaeJDH67ch7wyG
+jYFDDV2x44VcckepPoKiPBUiNGaVtdoXx4b68h1+1QK2sGMM1wERsDp4TyplTmT
UYwuQb4ZSDUhFokkzzuaKgvqijbe7TuMKMAKDtYdzeVXvmovkUXYK24ajObCyrmd
R1VC49uCsnXjgD8DqQSV3J4RlAv4JOKRBRQloZieU7BzL2pA5uGyWVJ4v4X60RN6
0Rl9P61hySg/BALNU8DgEPtesa0wlTOob/6h11rfelL6Ay14Vo4AyHcN1cKQgYft
Xwu65ycWMNY5qzX51UaGMXobUJEZ3RmzKe/jhbKy79+p5QSGNycEABBts29c9M9a
DJncB5xzagzAUdYSJWYnAL/iXdV8IbAbdlpFO0MiMcmHQINPGryqED78jWA0ldBp
PxGuKVuCIATsAI4/CYmGzCoNwgKH5+6cAy78cjHrv1UlSBIdkyts4X7aYbg0o49F
r6QiKeI780UTn8pATRGbFri5O0jd1fWLAYZ4XYFg4evJ4XGMbgN2lJpFUnJX0Fm2
IM1vExStvObk1QdRbg8R
=fAJo
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.