Component Type: Flow
Vulnerability Type: Information Disclosure
Severity: Low
Affected Versions: All Flow versions before 2.3.16, 3.0.10, 3.1.7, 3.2.7, 3.3.5
Release Date: November 1st, 2016
Suggested CVSS v3.0: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/CR:L/IR:L/AR:L
CVE: not assigned
Problem Description
The PersistedUsernamePasswordProvider was prone to a information disclosure of account existance based on timing attacks as the hashing of passwords was only done in case an account was found. We changed the core so that the provider always does a password comparison in case credentials were submitted at all.
Solution
Update
to Flow 2.3.16, 3.0.10, 3.1.7, 3.2.7 or 3.3.5 that fix the problems described.
Credits
Thanks to Kevin Fischer and Coresec Systems who discovered the issues and to the Neos team for fixing and reviewing the fixes.