CVE-2017-9978 Information

Description

On the OSNEXUS QuantaStor v4 virtual appliance before 4.3.1 a flaw was found with the error message sent as a response for users that don’t exist on the system. An attacker could leverage this information to fine-tune and enumerate valid accounts on the system by searching for common usernames.

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Reference

http://packetstormsecurity.com/files/143780/OSNEXUS-QuantaStor-4-Information-Disclosure.html http://seclists.org/fulldisclosure/2017/Aug/23 http://www.vvvsecurity.com/advisories/vvvsecurity-advisory-2017-6943.txt https://www.exploit-db.com/exploits/42517/

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

LOW

Availability Impact

NONE

Base Score

NONE

Base Severity

5.3