// For flags

CVE-2022-39315

Kirby CMS vulnerable to user enumeration in the brute force protection

Severity Score

5.3
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Kirby is a Content Management System. Prior to versions 3.5.8.2, 3.6.6.2, 3.7.5.1, and 3.8.1, a user enumeration vulnerability affects all Kirby sites with user accounts unless Kirby's API and Panel are disabled in the config. It can only be exploited for targeted attacks because the attack does not scale to brute force. The problem has been patched in Kirby 3.5.8.2, Kirby 3.6.6.2, Kirby 3.7.5.1, and Kirby 3.8.1. In all of the mentioned releases, the maintainers have rewritten the affected code so that the delay is also inserted after the brute force limit is reached.

Kirby es un Sistema de Administrador de Contenidos. En versiones anteriores a 3.5.8.2, 3.6.6.2, 3.7.5.1 y 3.8.1, una vulnerabilidad de enumeración de usuarios afecta a todos los sitios Kirby con cuentas de usuario, a menos que la API y el Panel de Kirby estén deshabilitados en la configuración. Sólo puede ser explotada para ataques dirigidos porque el ataque no escala a la fuerza bruta. El problema ha sido parcheado en Kirby versiones 3.5.8.2, Kirby 3.6.6.2, Kirby 3.7.5.1 y Kirby 3.8.1. En todas las versiones mencionadas, los mantenedores han reescrito el código afectado para que el retraso sea insertado también después de alcanzar el límite de fuerza bruta

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2022-09-02 CVE Reserved
  • 2022-10-25 CVE Published
  • 2024-05-17 EPSS Updated
  • 2024-08-03 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-204: Observable Response Discrepancy
  • CWE-209: Generation of Error Message Containing Sensitive Information
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Getkirby
Search vendor "Getkirby"
 Kirby
Search vendor "Getkirby" for product "Kirby"
 < 3.5.8.2
Search vendor "Getkirby" for product "Kirby" and version " < 3.5.8.2"
-
Affected
Getkirby
Search vendor "Getkirby"
 Kirby
Search vendor "Getkirby" for product "Kirby"
 >= 3.6.0 < 3.6.6.2
Search vendor "Getkirby" for product "Kirby" and version " >= 3.6.0 < 3.6.6.2"
-
Affected
Getkirby
Search vendor "Getkirby"
 Kirby
Search vendor "Getkirby" for product "Kirby"
 >= 3.7.0 < 3.7.5.1
Search vendor "Getkirby" for product "Kirby" and version " >= 3.7.0 < 3.7.5.1"
-
Affected
Getkirby
Search vendor "Getkirby"
 Kirby
Search vendor "Getkirby" for product "Kirby"
 3.8.0
Search vendor "Getkirby" for product "Kirby" and version "3.8.0"
-
Affected
Getkirby
Search vendor "Getkirby"
 Kirby
Search vendor "Getkirby" for product "Kirby"
 3.8.0
Search vendor "Getkirby" for product "Kirby" and version "3.8.0"
rc1
Affected
Getkirby
Search vendor "Getkirby"
 Kirby
Search vendor "Getkirby" for product "Kirby"
 3.8.0
Search vendor "Getkirby" for product "Kirby" and version "3.8.0"
rc2
Affected
Getkirby
Search vendor "Getkirby"
 Kirby
Search vendor "Getkirby" for product "Kirby"
 3.8.0
Search vendor "Getkirby" for product "Kirby" and version "3.8.0"
rc3
Affected