漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
Vendure vulnerable to timing attack that enables user enumeration in NativeAuthenticationStrategy
Vulnerability Description
Vendure is an open-source headless commerce platform. Prior to version 3.5.3, the `NativeAuthenticationStrategy.authenticate()` method is vulnerable to a timing attack that allows attackers to enumerate valid usernames (email addresses). In `packages/core/src/config/auth/native-authentication-strategy.ts`, the authenticate method returns immediately if a user is not found. The significant timing difference (~200-400ms for bcrypt vs ~1-5ms for DB miss) allows attackers to reliably distinguish between existing and non-existing accounts. Version 3.5.3 fixes the issue.
CVSS Information
N/A
Vulnerability Type
通过数据查询的敏感数据暴露
Vulnerability Title
Vendure 安全漏洞
Vulnerability Description
Vendure是Vendure开源的一个电子商务框架。 Vendure 3.5.3之前版本存在安全漏洞,该漏洞源于NativeAuthenticationStrategy.authenticate方法存在时间差,可能导致用户名枚举攻击。
CVSS Information
N/A
Vulnerability Type
N/A