Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Cleanuparr has Username Enumeration via Timing Attack
Vulnerability Description
Cleanuparr is a tool for automating the cleanup of unwanted or blocked files in Sonarr, Radarr, and supported download clients like qBittorrent. From 2.7.0 to 2.8.0, the /api/auth/login endpoint contains a logic flaw that allows unauthenticated remote attackers to enumerate valid usernames by measuring the application's response time. It appears that the hashing function, which is the most time-consuming part of the process by design, occurs as part of the VerifyPassword function. With the short circuits occurring before the hashing function, a timing differential is introduced that exposes validity to the actor. This vulnerability is fixed in 2.8.1.
CVSS Information
N/A
Vulnerability Type
通过时间差异性导致的信息暴露
Vulnerability Title
Cleanuparr 安全漏洞
Vulnerability Description
Cleanuparr是Cleanuparr开源的一个自动化清理下载队列中无效文件的工具。 Cleanuparr 2.8.0及之前版本存在安全漏洞,该漏洞源于/api/auth/login端点存在逻辑缺陷,可能导致未经验证的远程攻击者通过测量应用响应时间枚举有效用户名。
CVSS Information
N/A
Vulnerability Type
N/A