Publish GHSA-3ggv-qwcp-j6xg

advisory-database[bot] · advisory-database[bot] · commit 3cff43eca407 · 2025-09-03T22:22:24.000Z
diff --git a/advisories/github-reviewed/2025/09/GHSA-3ggv-qwcp-j6xg/GHSA-3ggv-qwcp-j6xg.json b/advisories/github-reviewed/2025/09/GHSA-3ggv-qwcp-j6xg/GHSA-3ggv-qwcp-j6xg.json
@@ -0,0 +1,107 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-3ggv-qwcp-j6xg",
+  "modified": "2025-09-03T22:20:16Z",
+  "published": "2025-09-03T22:20:16Z",
+  "aliases": [
+    "CVE-2025-9824"
+  ],
+  "summary": "Mautic Vulnerable to User Enumeration via Response Timing",
+  "details": "### Impact\nThe attacker can validate if a user exists by checking the time login returns. This timing difference can be used to enumerate valid usernames, after which an attacker could attempt brute force attacks.\n\n### Patches\nThis vulnerability has been patched, implementing a timing-safe form login authenticator that ensures consistent response times regardless of whether a user exists or not.\n\n### Technical Details\nThe vulnerability was caused by different response times when:\n- A valid username was provided (password hashing occurred)\n- An invalid username was provided (no password hashing occurred)\n\nThe fix introduces a `TimingSafeFormLoginAuthenticator` that performs a dummy password hash verification even for non-existent users, ensuring consistent timing.\n\n### Workarounds\nNo workarounds are available. Users should upgrade to the patched version.\n\n### References\n- https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/03-Identity_Management_Testing/04-Testing_for_Account_Enumeration_and_Guessable_User_Account\n- https://github.com/mautic/mautic-security/pull/146",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "mautic/core"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "4.4.0"
+            },
+            {
+              "fixed": "4.4.17"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "mautic/core"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "5.0.0-alpha"
+            },
+            {
+              "fixed": "5.2.8"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "mautic/core"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "6.0.0-alpha"
+            },
+            {
+              "fixed": "6.0.5"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/mautic/mautic/security/advisories/GHSA-3ggv-qwcp-j6xg"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9824"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/mautic/mautic/commit/6bc4f5f1aabb13df12714ad0ea9fc281cbb867c6"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/mautic/mautic/commit/b4264c717ce31fbafafcefc04b02ecb9fb911e62"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/mautic/mautic"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-204"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-09-03T22:20:16Z",
+    "nvd_published_at": "2025-09-03T15:15:49Z"
+  }
+}
