Common Weakness Enumeration

CWE-204

Allowed

Observable Response Discrepancy

Abstraction: Base · Status: Incomplete

The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere.

297 vulnerabilities reference this CWE, most recent first.

GHSA-HXJ8-JJXP-P43W

Vulnerability from github – Published: 2025-11-12 18:31 – Updated: 2025-11-12 18:31
VLAI
Details

Omnissa Workspace ONE UEM contains an observable response discrepancy vulnerability. A malicious actor may be able to enumerate sensitive information such as tenant ID and user accounts that could facilitate brute-force, password-spraying or credential-stuffing attacks.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-25236"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-204"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-12T18:15:35Z",
    "severity": "MODERATE"
  },
  "details": "Omnissa Workspace ONE UEM contains an observable response discrepancy vulnerability. A malicious actor may be able to enumerate sensitive information such as tenant ID and user accounts that could facilitate brute-force, password-spraying or credential-stuffing attacks.",
  "id": "GHSA-hxj8-jjxp-p43w",
  "modified": "2025-11-12T18:31:25Z",
  "published": "2025-11-12T18:31:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-25236"
    },
    {
      "type": "WEB",
      "url": "https://static.omnissa.com/sites/default/files/OMSA-2025-0005.pdf"
    },
    {
      "type": "WEB",
      "url": "https://www.omnissa.com/omnissa-security-response"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-J2HG-VP99-659F

Vulnerability from github – Published: 2026-02-13 00:32 – Updated: 2026-02-13 00:32
VLAI
Details

DokuWiki 2018-04-22b contains a username enumeration vulnerability in its password reset functionality that allows attackers to identify valid user accounts. Attackers can submit different usernames to the password reset endpoint and distinguish between existing and non-existing accounts by analyzing the server's error response messages.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-25338"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-204"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-12T23:16:07Z",
    "severity": "MODERATE"
  },
  "details": "DokuWiki 2018-04-22b contains a username enumeration vulnerability in its password reset functionality that allows attackers to identify valid user accounts. Attackers can submit different usernames to the password reset endpoint and distinguish between existing and non-existing accounts by analyzing the server\u0027s error response messages.",
  "id": "GHSA-j2hg-vp99-659f",
  "modified": "2026-02-13T00:32:52Z",
  "published": "2026-02-13T00:32:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25338"
    },
    {
      "type": "WEB",
      "url": "https://download.dokuwiki.org"
    },
    {
      "type": "WEB",
      "url": "https://www.dokuwiki.org/dokuwiki"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/47731"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/dokuwiki-b-username-enumeration"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-J7F5-GFQM-PCX3

Vulnerability from github – Published: 2026-06-26 20:54 – Updated: 2026-06-26 20:54
VLAI
Summary
Pterodactyl Panel: Client email change endpoint allows enumeration of accounts in system
Details

Summary

An unprotected user enumeration vulnerability exists in the account email update endpoint, allowing authenticated users to verify whether email addresses are registered on the panel through automated requests without rate limiting or CAPTCHA protection.

Details

The account settings page allows authenticated users to update their email address through a POST request. Unlike the login and password reset forms which implement reCAPTCHA and rate limiting protections, this endpoint lacks these safeguards entirely. An attacker can capture the email update request (for example, using Burp Suite's proxy) and modify the email field to test arbitrary addresses. The panel's response will confirm whether each tested email is already registered in the system. Because there are no rate limits implemented, attackers can send hundreds or thousands of requests to enumerate the user base.

This is concerning because:

  • The login and password reset pages correctly implement protections against enumeration
  • The account page has no reCAPTCHA option available
  • No rate limiting exists in the panel for this endpoint
  • Authentication is required, but any valid account (including free tier/trial accounts) can exploit this

PoC

  • Log into the Pterodactyl panel with any valid account
  • Navigate to Account Settings
  • Open Burp Suite (or similar proxy tool) and configure your browser to proxy through it
  • Attempt to change your email address and capture the POST request
  • Send the captured request to Repeater
  • Modify the email field to test different addresses (e.g., admin@example.com, test@example.com)
  • Send multiple requests in rapid succession
  • Observe the response messages which confirm whether each email exists or not
  • Repeat indefinitely without encountering rate limits or CAPTCHA challenges

Impact

This is a user enumeration vulnerability (CWE-204: Observable Response Discrepancy).

Who is impacted:

  • All Pterodactyl panel installations are affected
  • Any registered user's email address can be discovered
  • Particularly impacts administrators and high-value accounts

Potential consequences:

  • Attackers can build a complete database of registered users
  • Enumerated emails can be used for targeted phishing campaigns
  • Combined with other attacks (credential stuffing, social engineering)
  • Privacy violation for all users on the platform
  • Competitive intelligence gathering (identifying which companies/individuals use specific panels)
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "pterodactyl/panel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.12.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-204"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-26T20:54:38Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\nAn unprotected user enumeration vulnerability exists in the account email update endpoint, allowing authenticated users to verify whether email addresses are registered on the panel through automated requests without rate limiting or CAPTCHA protection.\n\n### Details\nThe account settings page allows authenticated users to update their email address through a POST request. Unlike the login and password reset forms which implement reCAPTCHA and rate limiting protections, this endpoint lacks these safeguards entirely.\nAn attacker can capture the email update request (for example, using Burp Suite\u0027s proxy) and modify the email field to test arbitrary addresses. The panel\u0027s response will confirm whether each tested email is already registered in the system. Because there are no rate limits implemented, attackers can send hundreds or thousands of requests to enumerate the user base.\n\nThis is concerning because:\n\n- The login and password reset pages correctly implement protections against enumeration\n- The account page has no reCAPTCHA option available\n- No rate limiting exists in the panel for this endpoint\n- Authentication is required, but any valid account (including free tier/trial accounts) can exploit this\n\n### PoC\n- Log into the Pterodactyl panel with any valid account\n- Navigate to Account Settings\n- Open Burp Suite (or similar proxy tool) and configure your browser to proxy through it\n- Attempt to change your email address and capture the POST request\n- Send the captured request to Repeater\n- Modify the email field to test different addresses (e.g., admin@example.com, test@example.com)\n- Send multiple requests in rapid succession\n- Observe the response messages which confirm whether each email exists or not \n- Repeat indefinitely without encountering rate limits or CAPTCHA challenges\n\n\n### Impact\nThis is a user enumeration vulnerability (CWE-204: Observable Response Discrepancy).\n\nWho is impacted:\n\n- All Pterodactyl panel installations are affected\n- Any registered user\u0027s email address can be discovered\n- Particularly impacts administrators and high-value accounts\n\nPotential consequences:\n\n- Attackers can build a complete database of registered users\n- Enumerated emails can be used for targeted phishing campaigns\n- Combined with other attacks (credential stuffing, social engineering)\n- Privacy violation for all users on the platform\n- Competitive intelligence gathering (identifying which companies/individuals use specific panels)",
  "id": "GHSA-j7f5-gfqm-pcx3",
  "modified": "2026-06-26T20:54:38Z",
  "published": "2026-06-26T20:54:38Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/pterodactyl/panel/security/advisories/GHSA-j7f5-gfqm-pcx3"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/pterodactyl/panel"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Pterodactyl Panel: Client email change endpoint allows enumeration of accounts in system"
}

GHSA-J7QG-8R9M-WXM8

Vulnerability from github – Published: 2022-08-24 00:00 – Updated: 2022-08-27 00:00
VLAI
Details

All CODESYS Visualization versions before V4.2.0.0 generate a login dialog vulnerable to information exposure allowing a remote, unauthenticated attacker to enumerate valid users.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-1989"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-203",
      "CWE-204"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-08-23T10:15:00Z",
    "severity": "MODERATE"
  },
  "details": "All CODESYS Visualization versions before V4.2.0.0 generate a login dialog vulnerable to information exposure allowing a remote, unauthenticated attacker to enumerate valid users.",
  "id": "GHSA-j7qg-8r9m-wxm8",
  "modified": "2022-08-27T00:00:49Z",
  "published": "2022-08-24T00:00:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1989"
    },
    {
      "type": "WEB",
      "url": "https://customers.codesys.com/index.php?eID=dumpFile\u0026t=f\u0026f=17142\u0026token=a3696ab41fef800d2eaee8043d40d5fbe94277fd\u0026download="
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JC64-QJC6-H5VP

Vulnerability from github – Published: 2025-03-28 15:31 – Updated: 2025-03-28 15:31
VLAI
Details

User enumeration in the password reset module of the MeetMe authentication service in versions prior to 2024-09 allows an attacker to determine whether an email address is registered through specific error messages.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-2910"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-204"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-28T13:15:41Z",
    "severity": "MODERATE"
  },
  "details": "User enumeration in the password reset module of the MeetMe authentication service in versions prior to 2024-09 allows an attacker to determine whether an email address is registered through specific error messages.",
  "id": "GHSA-jc64-qjc6-h5vp",
  "modified": "2025-03-28T15:31:56Z",
  "published": "2025-03-28T15:31:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2910"
    },
    {
      "type": "WEB",
      "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-fermax-mobile-applications"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-JCVH-6RQ4-C7XR

Vulnerability from github – Published: 2022-06-23 00:00 – Updated: 2022-07-01 00:01
VLAI
Details

A Observable Response Discrepancy vulnerability in spacewalk-java of SUSE Manager Server 4.1, SUSE Manager Server 4.2 allows remote attackers to discover valid usernames. This issue affects: SUSE Manager Server 4.1 spacewalk-java versions prior to 4.1.46-1. SUSE Manager Server 4.2 spacewalk-java versions prior to 4.2.37-1.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-31248"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-204"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-06-22T10:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A Observable Response Discrepancy vulnerability in spacewalk-java of SUSE Manager Server 4.1, SUSE Manager Server 4.2 allows remote attackers to discover valid usernames. This issue affects: SUSE Manager Server 4.1 spacewalk-java versions prior to 4.1.46-1. SUSE Manager Server 4.2 spacewalk-java versions prior to 4.2.37-1.",
  "id": "GHSA-jcvh-6rq4-c7xr",
  "modified": "2022-07-01T00:01:15Z",
  "published": "2022-06-23T00:00:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31248"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.suse.com/show_bug.cgi?id=1199629"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JGC6-C9V8-VFQW

Vulnerability from github – Published: 2024-07-01 18:32 – Updated: 2024-07-01 18:32
VLAI
Details

In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312.109, an attacker could determine whether or not another user exists on the instance by deciphering the error response that they would likely receive from the instance when they attempt to log in. This disclosure could then lead to additional brute-force password-guessing attacks. This vulnerability would require that the Splunk platform instance uses the Security Assertion Markup Language (SAML) authentication scheme.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-36996"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-203",
      "CWE-204"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-01T17:15:08Z",
    "severity": "MODERATE"
  },
  "details": "In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312.109, an attacker could determine whether or not another user exists on the instance by deciphering the error response that they would likely receive from the instance when they attempt to log in. This disclosure could then lead to additional brute-force password-guessing attacks. This vulnerability would require that the Splunk platform instance uses the Security Assertion Markup Language (SAML) authentication scheme.",
  "id": "GHSA-jgc6-c9v8-vfqw",
  "modified": "2024-07-01T18:32:41Z",
  "published": "2024-07-01T18:32:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36996"
    },
    {
      "type": "WEB",
      "url": "https://advisory.splunk.com/advisories/SVD-2024-0716"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JRMV-PJXX-F4C4

Vulnerability from github – Published: 2025-02-12 15:31 – Updated: 2025-02-12 15:31
VLAI
Details

A CWE-204 "Observable Response Discrepancy" in the login page in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to enumerate valid usernames via crafted HTTP requests.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-1101"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-204"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-12T14:15:31Z",
    "severity": "MODERATE"
  },
  "details": "A CWE-204 \"Observable Response Discrepancy\" in the login page in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to enumerate valid usernames via crafted HTTP requests.",
  "id": "GHSA-jrmv-pjxx-f4c4",
  "modified": "2025-02-12T15:31:59Z",
  "published": "2025-02-12T15:31:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1101"
    },
    {
      "type": "WEB",
      "url": "https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-1101"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JV87-32HW-HH99

Vulnerability from github – Published: 2026-03-20 20:47 – Updated: 2026-03-27 21:59
VLAI
Summary
MinIO LDAP login brute-force via user enumeration and missing rate limit
Details

Impact

What kind of vulnerability is it? Who is impacted?

MinIO AIStor's STS (Security Token Service) AssumeRoleWithLDAPIdentity endpoint is vulnerable to LDAP credential brute-forcing due to two combined weaknesses: (1) distinguishable error responses that enable username enumeration, and (2) absence of rate limiting on authentication attempts. An unauthenticated network attacker can enumerate valid LDAP usernames and then perform unlimited password guessing to obtain temporary AWS-style STS credentials, gaining access to the victim's S3 buckets and objects.

All deployments with LDAP configured running an affected version are impacted.

There are two vulnerabilities:

  1. User Enumeration via Distinguishable Error Messages (CWE-204)
  2. Missing Rate Limiting on STS Authentication Endpoints (CWE-307)

When exploited together, an attacker can:

  1. Enumerate valid LDAP usernames by observing error message differences.
  2. Perform high-speed password brute-force attacks against confirmed valid users.
  3. Upon finding valid credentials, obtain temporary AWS-style STS credentials (AccessKeyId, SecretAccessKey, SessionToken) with full access to the victim user's S3 resources.

Affected Versions

All MinIO releases through the final release of the minio/minio open-source project.

Patches

Fixed in: MinIO AIStor RELEASE.2026-03-17T21-25-16Z

Binary Downloads

Platform Architecture Download
Linux amd64 minio
Linux arm64 minio
macOS arm64 minio
macOS amd64 minio
Windows amd64 minio.exe

FIPS Binaries

Platform Architecture Download
Linux amd64 minio.fips
Linux arm64 minio.fips

Package Downloads

Format Architecture Download
DEB amd64 minio_20260317212516.0.0_amd64.deb
DEB arm64 minio_20260317212516.0.0_arm64.deb
RPM amd64 minio-20260317212516.0.0-1.x86_64.rpm
RPM arm64 minio-20260317212516.0.0-1.aarch64.rpm

Container Images

# Standard
docker pull quay.io/minio/aistor/minio:RELEASE.2026-03-17T21-25-16Z
podman pull quay.io/minio/aistor/minio:RELEASE.2026-03-17T21-25-16Z

# FIPS
docker pull quay.io/minio/aistor/minio:RELEASE.2026-03-17T21-25-16Z.fips
podman pull quay.io/minio/aistor/minio:RELEASE.2026-03-17T21-25-16Z.fips

Homebrew (macOS)

brew install minio/aistor/minio

Workarounds

If upgrading is not immediately possible:

  • Network-level rate limiting: Use a reverse proxy (e.g., nginx, HAProxy) or WAF to rate-limit requests to the /?Action=AssumeRoleWithLDAPIdentity endpoint.
  • Firewall restrictions: Restrict access to the STS endpoint to trusted networks/IP ranges only.
  • LDAP account lockout: Configure account lockout policies on the LDAP server itself (e.g., Active Directory lockout threshold). Note: this protects against brute-force but not enumeration, and may cause denial-of-service for legitimate users.
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/minio/minio"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.0.0-20260212201848-7aac2a2c5b7c"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33419"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-204",
      "CWE-307"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-20T20:47:54Z",
    "nvd_published_at": "2026-03-24T20:16:29Z",
    "severity": "CRITICAL"
  },
  "details": "### Impact\n_What kind of vulnerability is it? Who is impacted?_\n\nMinIO AIStor\u0027s STS (Security Token Service) `AssumeRoleWithLDAPIdentity` endpoint is vulnerable to LDAP credential brute-forcing due to two combined weaknesses: (1) distinguishable error responses that enable username enumeration, and (2) absence of rate limiting on authentication attempts. An unauthenticated network attacker can enumerate valid LDAP usernames and then perform unlimited password guessing to obtain temporary AWS-style STS credentials, gaining access to the victim\u0027s S3 buckets and objects.\n\nAll deployments with LDAP configured running an affected version are impacted.\n\nThere are two vulnerabilities:\n\n1. User Enumeration via Distinguishable Error Messages (CWE-204)\n2. Missing Rate Limiting on STS Authentication Endpoints (CWE-307)\n\nWhen exploited together, an attacker can:\n\n1. Enumerate valid LDAP usernames by observing error message differences.\n3. Perform high-speed password brute-force attacks against confirmed valid users.\n4. Upon finding valid credentials, obtain temporary AWS-style STS credentials (`AccessKeyId`, `SecretAccessKey`, `SessionToken`) with full access to the victim user\u0027s S3 resources.\n\n### Affected Versions\n\nAll MinIO releases through the final release of the minio/minio open-source project.\n\n### Patches\n\n**Fixed in**: MinIO AIStor RELEASE.2026-03-17T21-25-16Z\n\n#### Binary Downloads\n\n| Platform | Architecture | Download                                                                    |\n| -------- | ------------ | --------------------------------------------------------------------------- |\n| Linux    | amd64        | [minio](https://dl.min.io/aistor/minio/release/linux-amd64/minio)           |\n| Linux    | arm64        | [minio](https://dl.min.io/aistor/minio/release/linux-arm64/minio)           |\n| macOS    | arm64        | [minio](https://dl.min.io/aistor/minio/release/darwin-arm64/minio)          |\n| macOS    | amd64        | [minio](https://dl.min.io/aistor/minio/release/darwin-amd64/minio)          |\n| Windows  | amd64        | [minio.exe](https://dl.min.io/aistor/minio/release/windows-amd64/minio.exe) |\n\n#### FIPS Binaries\n\n| Platform | Architecture | Download                                                                    |\n| -------- | ------------ | --------------------------------------------------------------------------- |\n| Linux    | amd64        | [minio.fips](https://dl.min.io/aistor/minio/release/linux-amd64/minio.fips) |\n| Linux    | arm64        | [minio.fips](https://dl.min.io/aistor/minio/release/linux-arm64/minio.fips) |\n\n#### Package Downloads\n\n| Format | Architecture | Download                                                                                                                            |\n| ------ | ------------ | ----------------------------------------------------------------------------------------------------------------------------------- |\n| DEB    | amd64        | [minio_20260317212516.0.0_amd64.deb](https://dl.min.io/aistor/minio/release/linux-amd64/minio_20260317212516.0.0_amd64.deb)         |\n| DEB    | arm64        | [minio_20260317212516.0.0_arm64.deb](https://dl.min.io/aistor/minio/release/linux-arm64/minio_20260317212516.0.0_arm64.deb)         |\n| RPM    | amd64        | [minio-20260317212516.0.0-1.x86_64.rpm](https://dl.min.io/aistor/minio/release/linux-amd64/minio-20260317212516.0.0-1.x86_64.rpm)   |\n| RPM    | arm64        | [minio-20260317212516.0.0-1.aarch64.rpm](https://dl.min.io/aistor/minio/release/linux-arm64/minio-20260317212516.0.0-1.aarch64.rpm) |\n\n#### Container Images\n\n```bash\n# Standard\ndocker pull quay.io/minio/aistor/minio:RELEASE.2026-03-17T21-25-16Z\npodman pull quay.io/minio/aistor/minio:RELEASE.2026-03-17T21-25-16Z\n\n# FIPS\ndocker pull quay.io/minio/aistor/minio:RELEASE.2026-03-17T21-25-16Z.fips\npodman pull quay.io/minio/aistor/minio:RELEASE.2026-03-17T21-25-16Z.fips\n```\n\n#### Homebrew (macOS)\n\n```bash\nbrew install minio/aistor/minio\n```\n \n\n### Workarounds\n\n- [Users of the open-source `minio/minio` project should upgrade to MinIO AIStor `RELEASE.2026-03-17T21-25-16Z` or later.](https://docs.min.io/enterprise/aistor-object-store/upgrade-aistor-server/community-edition/)\n\nIf upgrading is not immediately possible:\n\n- **Network-level rate limiting**: Use a reverse proxy (e.g., nginx, HAProxy) or WAF to rate-limit requests to the `/?Action=AssumeRoleWithLDAPIdentity` endpoint.\n- **Firewall restrictions**: Restrict access to the STS endpoint to trusted networks/IP ranges only.\n- **LDAP account lockout**: Configure account lockout policies on the LDAP server itself (e.g., Active Directory lockout threshold). Note: this protects against brute-force but not enumeration, and may cause denial-of-service for legitimate users.",
  "id": "GHSA-jv87-32hw-hh99",
  "modified": "2026-03-27T21:59:08Z",
  "published": "2026-03-20T20:47:54Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/minio/minio/security/advisories/GHSA-jv87-32hw-hh99"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33419"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/minio/minio"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "MinIO LDAP login brute-force via user enumeration and missing rate limit"
}

GHSA-JVFW-53C8-P9QG

Vulnerability from github – Published: 2024-11-15 18:30 – Updated: 2024-11-15 18:30
VLAI
Details

A vulnerability in the web-based management interface of Cisco ECE could allow an unauthenticated, remote attacker to perform a username enumeration attack against an affected device.

This vulnerability is due to differences in authentication responses that are sent back from the application as part of an authentication attempt. An attacker could exploit this vulnerability by sending authentication requests to an affected device. A successful exploit could allow the attacker to confirm existing user accounts, which could be used in further attacks. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-20633"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-204"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-15T17:15:10Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability in the web-based management interface of Cisco\u0026nbsp;ECE could allow an unauthenticated, remote attacker to perform a username enumeration attack against an affected device.\n\nThis vulnerability is due to differences in authentication responses that are sent back from the application as part of an authentication attempt. An attacker could exploit this vulnerability by sending authentication requests to an affected device. A successful exploit could allow the attacker to confirm existing user accounts, which could be used in further attacks.\nCisco\u0026nbsp;has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.",
  "id": "GHSA-jvfw-53c8-p9qg",
  "modified": "2024-11-15T18:30:51Z",
  "published": "2024-11-15T18:30:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-20633"
    },
    {
      "type": "WEB",
      "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ece-multivulns-kbK2yVhR"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-46
Architecture and Design

Strategy: Separation of Privilege

  • Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.
  • Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.
Mitigation MIT-39
Implementation
  • Ensure that error messages only contain minimal details that are useful to the intended audience and no one else. The messages need to strike the balance between being too cryptic (which can confuse users) or being too detailed (which may reveal more than intended). The messages should not reveal the methods that were used to determine the error. Attackers can use detailed information to refine or optimize their original attack, thereby increasing their chances of success.
  • If errors must be captured in some detail, record them in log messages, but consider what could occur if the log messages can be viewed by attackers. Highly sensitive information such as passwords should never be saved to log files.
  • Avoid inconsistent messaging that might accidentally tip off an attacker about internal state, such as whether a user account exists or not.
CAPEC-331: ICMP IP Total Length Field Probe

An adversary sends a UDP packet to a closed port on the target machine to solicit an IP Header's total length field value within the echoed 'Port Unreachable" error message. This type of behavior is useful for building a signature-base of operating system responses, particularly when error messages contain other types of information that is useful identifying specific operating system responses.

CAPEC-332: ICMP IP 'ID' Field Error Message Probe

An adversary sends a UDP datagram having an assigned value to its internet identification field (ID) to a closed port on a target to observe the manner in which this bit is echoed back in the ICMP error message. This allows the attacker to construct a fingerprint of specific OS behaviors.

CAPEC-541: Application Fingerprinting

An adversary engages in fingerprinting activities to determine the type or version of an application installed on a remote target.

CAPEC-580: System Footprinting

An adversary engages in active probing and exploration activities to determine security information about a remote target system. Often times adversaries will rely on remote applications that can be probed for system configurations.