Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
cveGitHub_MCVE-2022-39314
HistoryOct 24, 2022 - 2:15 p.m.

CVE-2022-39314

2022-10-2414:15:51
CWE-307
GitHub_M
web.nvd.nist.gov
83
4
cve-2022-39314
kirby
cms
user enumeration
vulnerability
security
update

CVSS3

3.7

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

AI Score

4.3

Confidence

High

EPSS

0.001

Percentile

31.3%

JSON

Kirby is a flat-file CMS. In versions prior to 3.5.8.2, 3.6.6.2, 3.7.5.1, and 3.8.1, Kirby is subject to user enumeration due to Improper Restriction of Excessive Authentication Attempts. This vulnerability affects you only if you are using the code or password-reset auth method with the auth.methods option or if you have enabled the debug option in production. By using two or more IP addresses and multiple login attempts, valid user accounts will lock, but invalid accounts will not, leading to account enumeration. This issue has been patched in versions 3.5.8.2, 3.6.6.2, 3.7.5.1, and 3.8.1. If you cannot update immediately, you can work around the issue by setting the auth.methods option to password, which disables the code-based login and password reset forms.

Affected configurations

Nvd
Vulners
Node
getkirbykirbyRange<3.5.8.2
OR
getkirbykirbyRange3.6.03.6.6.2
OR
getkirbykirbyRange3.7.03.7.5.1
OR
getkirbykirbyMatch3.8.0-
OR
getkirbykirbyMatch3.8.0rc1
OR
getkirbykirbyMatch3.8.0rc2
OR
getkirbykirbyMatch3.8.0rc3
VendorProductVersionCPE
getkirbykirby*cpe:2.3:a:getkirby:kirby:*:*:*:*:*:*:*:*
getkirbykirby3.8.0cpe:2.3:a:getkirby:kirby:3.8.0:-:*:*:*:*:*:*
getkirbykirby3.8.0cpe:2.3:a:getkirby:kirby:3.8.0:rc1:*:*:*:*:*:*
getkirbykirby3.8.0cpe:2.3:a:getkirby:kirby:3.8.0:rc2:*:*:*:*:*:*
getkirbykirby3.8.0cpe:2.3:a:getkirby:kirby:3.8.0:rc3:*:*:*:*:*:*

CNA Affected

[
  {
    "vendor": "getkirby",
    "product": "kirby",
    "versions": [
      {
        "version": ">= 3.5.0, < 3.5.8.2",
        "status": "affected"
      },
      {
        "version": ">= 2.6.0, < 3.6.6.2",
        "status": "affected"
      },
      {
        "version": ">= 3.7.0, <3.7.5.1",
        "status": "affected"
      },
      {
        "version": ">= 3.8.1, < 3.8.1",
        "status": "affected"
      }
    ]
  }
]

Social References

More

Related

cvelist 1
github 1
prion 1
osv 2
nvd 1
cvelist
cvelist
CVE-2022-39314 User enumeration in the code-based login and password reset forms
2022-10-24 00:00:00
github
github
Kirby CMS vulnerable to user enumeration in the code-based login and password reset forms
2022-10-18 21:14:04
prion
prion
Code injection
2022-10-24 14:15:00
osv
osv
CVE-2022-39314
2022-10-24 14:15:51
Kirby CMS vulnerable to user enumeration in the code-based login and password reset forms
2022-10-18 21:14:04
nvd
nvd
CVE-2022-39314
2022-10-24 14:15:51

CVSS3

3.7

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

AI Score

4.3

Confidence

High

EPSS

0.001

Percentile

31.3%

JSON
Related for CVE-2022-39314
cvelist1github1prion1osv2nvd1