CVE-2022-27891

MEDIUM

Palantir Gotham < 3.22.10.4 - Unauthenticated Active Username Enumeration

Title source: llm

Description

Palantir Gotham included an unauthenticated endpoint that listed all active usernames on the stack with an active session. The affected services have been patched and automatically deployed to all Apollo-managed Gotham instances. It is highly recommended that customers upgrade all affected services to the latest version. This issue affects: Palantir Gotham versions prior to 103.30221005.0.

References (1)

Core 1

Core References

Vendor Advisory

https://github.com/palantir/security-bulletins/blob/main/PLTRSEC-2022-10.md

View Writeup ZIP pw:eip

Scores

CVSS v3 5.3

EPSS 0.0043

EPSS Percentile 34.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-200 CWE-306

Status published

Products (1)

palantir/gotham < 3.22.10.4

Published Feb 16, 2023

Tracked Since Feb 18, 2026