← back
CVE-2022-31248

SUMA user enumeration via weak error message

CVSS 5.3 MEDIUMEPSS 1.0%CWE-204
In short

The system reveals different error messages when you try to log in with an existing username versus a non-existent one, allowing attackers to discover valid usernames without needing a password.

Technical detail

An observable response discrepancy in SUSE Manager's authentication mechanism (spacewalk-java) permits unauthenticated remote attackers to enumerate valid usernames by analyzing differential error messages. This information disclosure vulnerability (CWE-204) requires only network access and no authentication, facilitating subsequent targeted attacks.

Summary generated and translated by AI from the official description.
A Observable Response Discrepancy vulnerability in spacewalk-java of SUSE Manager Server 4.1, SUSE Manager Server 4.2 allows remote attackers to discover valid usernames. This issue affects: SUSE Manager Server 4.1 spacewalk-java versions prior to 4.1.46-1. SUSE Manager Server 4.2 spacewalk-java versions prior to 4.2.37-1.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Affected products
SUSE · SUSE Manager Server 4.1SUSE · SUSE Manager Server 4.2

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://bugzilla.suse.com/show_bug.cgi?id=1199629