PolarLearn Affected by User Enumeration via Argon2 Timing Attack on Sign-In Endpoint

PolarLearn is a free and open-source learning program. In 0-PRERELEASE-15 and earlier, a timing attack vulnerability in the sign-in process allows unauthenticated attackers to determine if a specific email address is registered on the platform. By measuring the response time of the login endpoint, an attacker can distinguish between valid and invalid email addresses. This occurs because the server only performs the computationally expensive Argon2 password hashing if the user exists in the database. Requests for existing users take significantly longer (~650ms) than requests for non-existent users (~160ms).

N/A

信息暴露

PolarLearn 信息泄露漏洞

PolarLearn是PolarNL开源的一个在线学习平台。 PolarLearn 0-PRERELEASE-15及之前版本存在信息泄露漏洞，该漏洞源于登录过程存在时间攻击，可能导致枚举已注册的电子邮件地址。

N/A

N/A