Actions
Defect #37517
closedUser disclosure vulnerability via "Forgot password" functionality
Status:
Closed
Priority:
Normal
Assignee:
-
Category:
Security
Target version:
-
Start date:
Due date:
% Done:
0%
Estimated time:
Resolution:
Duplicate
Affected version:
Description
The redmine application reveals the existing users in the system database and their current status by using the "forgot password" functionality, as different messages will appear when entering your email to recover your password if the user in the email is pending approval, does not correspond to any user or is assigned to an active user.
This could therefore help attackers to perform more sophisticated and targeted brute force attacks.
Solution: Display the same message when executing this functionality, without differentiating whether the user exists, is pending approval or is incorrect.
Related issues
Actions