Strix
26.1K

CVE-2024-0391

MEDIUMCVSS 4.3/10EPSS 0.18%

Last modified

CVE-2024-0391 is a medium-severity vulnerability rated 4.3/10 on the CVSS scale. The check user account lock states feature within the email OTP flow fails to validate user input, allowing an attacker to infer the existence of registered user accounts. The discovery of valid usernames can increase the risk of brute-force and social engineering attacks. Attackers can leverage this information to craft targeted phishing campaigns or other malicious activities aimed at tricking users into divulging sensitive data, potentially damaging the organization's reputation and leading to regulatory non-compliance and financial consequences.. EPSS estimates a 0.18% chance of exploitation in the next 30 days.

Description

The check user account lock states feature within the email OTP flow fails to validate user input, allowing an attacker to infer the existence of registered user accounts. The discovery of valid usernames can increase the risk of brute-force and social engineering attacks. Attackers can leverage this information to craft targeted phishing campaigns or other malicious activities aimed at tricking users into divulging sensitive data, potentially damaging the organization's reputation and leading to regulatory non-compliance and financial consequences.

Metrics

CVSS 3.1
4.3/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

EPSS Probability
0.18%

8.2th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
Wso2Identity Server>= 5.10.0, < 5.10.0.379
Wso2Identity Server>= 5.11.0, < 5.11.0.426
Wso2Identity Server>= 6.0.0, < 6.0.0.253
Wso2Identity Server>= 6.1.0, < 6.1.0.254
Wso2Identity Server>= 7.0.0, < 7.0.0.131
Wso2Identity Server As Key Manager>= 5.10.0, < 5.10.267
Wso2Open Banking Iam>= 2.0.0, < 2.0.0.318

References

Timeline

Published
Last Modified
Status
Analyzed

Frequently Asked Questions

What is CVE-2024-0391?
The check user account lock states feature within the email OTP flow fails to validate user input, allowing an attacker to infer the existence of registered user accounts. The discovery of valid usernames can increase the risk of brute-force and social engineering attacks. Attackers can leverage this information to craft targeted phishing campaigns or other malicious activities aimed at tricking users into divulging sensitive data, potentially damaging the organization's reputation and leading to regulatory non-compliance and financial consequences.
How severe is CVE-2024-0391?
CVE-2024-0391 has a CVSS score of 4.3/10 (MEDIUM severity). The EPSS model estimates a 0.18% probability of exploitation in the next 30 days.
How do I fix CVE-2024-0391?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2024-0391?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST