Component Type: Flow
Vulnerability Type: Information Disclosure
Affected Versions: All Flow versions before 2.3.16, 3.0.10, 3.1.7, 3.2.7, 3.3.5
Release Date: November 1st, 2016
Suggested CVSS v3.0: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/CR:L/IR:L/AR:L
CVE: not assigned
The PersistedUsernamePasswordProvider was prone to a information disclosure of account existance based on timing attacks as the hashing of passwords was only done in case an account was found. We changed the core so that the provider always does a password comparison in case credentials were submitted at all.
to Flow 2.3.16, 3.0.10, 3.1.7, 3.2.7 or 3.3.5 that fix the problems described.
Thanks to Kevin Fischer and Coresec Systems who discovered the issues and to the Neos team for fixing and reviewing the fixes.