- Risk: low
- CVSS v3 Base Score: 5.4
- CVSS v3 Vector: AV:N/AC:M/Au:S/C:P/I:N/A:N
- CWE ID: CWE-200
- CWE Name: Exposure of Sensitive Information to an Unauthorized Actor
- CVE: CVE-2021-29659
Description
The sharing dialog implements a user enumeration mitigation to prevent an authenticated user from getting
a list of all accounts registered on the instance via the auto-complete dropdown. In the default configuration at least
3 characters of the name or email of the share-receiver (“Sharee”) must match an existing account to trigger the autocomplete.
Due to a bug in the related api endpoint the attacker can enumerate all users in a single request by entering three
whitespaces.
Secondary the retrieval of all users on a large instance could cause higher than average load on the instance.
Affected
- core 10.6
Action taken
The enumeration mitigation is now properly enforced.
Acknowledgment
Thanks to Max van der Linden & Justin Aarden from Secura in assignment of SURF.