How severe is CVE-2023-44399?

This vulnerability has a severity rating of MEDIUM with a CVSS score of 5.3 out of 10.

What type of vulnerability is CVE-2023-44399?

This is classified as CWE-640, which is a common weakness in software security.

CVE-2023-44399 - MEDIUM Severity | CVSS 5.3

Vulnerability Description

ZITADEL provides identity infrastructure. In versions 2.37.2 and prior, ZITADEL administrators can enable a setting called "Ignoring unknown usernames" which helps mitigate attacks that try to guess/enumerate usernames. While this settings was properly working during the authentication process it did not work correctly on the password reset flow. This meant that even if this feature was active that an attacker could use the password reset function to verify if an account exist within ZITADEL. This bug has been patched in versions 2.37.3 and 2.38.0. No known workarounds are available.

Related Vulnerabilities

CVE-2017-8385

MEDIUM

CVSS:5.3(Medium)

Craft CMS before 2.6.2976 does not prevent modification of the URL in a forgot-password email message.

CWE-6402017

CVE-2018-10210

MEDIUM

CVSS:5.3(Medium)

An issue was discovered in Vaultize Enterprise File Sharing 17.05.31. Enumeration of users is possible through the password-reset feature.

CWE-6402018

CVE-2019-14955

MEDIUM

CVSS:5.3(Medium)

In JetBrains Hub versions earlier than 2018.4.11436, there was no option to force a user to change the password and no password expiration policy was implemented.

CWE-6402019

CVE-2020-14016

MEDIUM

CVSS:5.3(Medium)

An issue was discovered in Navigate CMS 2.9 r1433. The forgot-password feature allows users to reset their passwords by using either their username or the email address associated with their account. ...

CWE-6402020

CVE-2021-36436

MEDIUM

CVSS:5.3(Medium)

An issue in Mobicint Backend for Credit Unions v3 allows attackers to retrieve partial email addresses and user entered information via submission to the forgotten-password endpoint.

CWE-6402021

CVE-2022-34530

MEDIUM

CVSS:5.3(Medium)

An issue in the login and reset password functionality of Backdrop CMS v1.22.0 allows attackers to enumerate usernames via password reset requests and distinct responses returned based on usernames.

CWE-6402022