CVE-2020-25200 Information

Description

Pritunl 1.29.2145.25 allows attackers to enumerate valid VPN usernames via a series of /auth/session login attempts. Initially the server will return error 401. However if the username is valid then after 20 login attempts the server will start responding with error 400. Invalid usernames will receive error 401 indefinitely.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Reference

https://github.com/lukaszstu/pritunl/blob/master/CVE-2020-25200 https://pritunl.com https://pritunl.com/security

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

LOW

Availability Impact

NONE

Base Score

NONE

Base Severity

5.3