CVE-2024-54002

MEDIUM

Dependency-Track - Info Disclosure

Title source: llm

Description

Dependency-Track is a Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain. Performing a login request against the /api/v1/user/login endpoint with a username that exist in the system takes significantly longer than performing the same action with a username that is not known by the system. The observable difference in request duration can be leveraged by actors to enumerate valid names of managed users. LDAP and OpenID Connect users are not affected. The issue has been fixed in Dependency-Track 4.12.2.

References (1)

[Vendor Advisory] https://github.com/DependencyTrack/dependency-track/security/advisories/GHSA-9w3m-hm36-w32w

Scores

CVSS v3 5.3

EPSS 0.0015

EPSS Percentile 35.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-203

Status published

Products (1)

DependencyTrack/dependency-track < 4.12.2

Published Dec 04, 2024

Tracked Since Feb 18, 2026