CWE-204
AllowedObservable Response Discrepancy
Abstraction: Base · Status: Incomplete
The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere.
297 vulnerabilities reference this CWE, most recent first.
GHSA-HXJ8-JJXP-P43W
Vulnerability from github – Published: 2025-11-12 18:31 – Updated: 2025-11-12 18:31Omnissa Workspace ONE UEM contains an observable response discrepancy vulnerability. A malicious actor may be able to enumerate sensitive information such as tenant ID and user accounts that could facilitate brute-force, password-spraying or credential-stuffing attacks.
{
"affected": [],
"aliases": [
"CVE-2025-25236"
],
"database_specific": {
"cwe_ids": [
"CWE-204"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-12T18:15:35Z",
"severity": "MODERATE"
},
"details": "Omnissa Workspace ONE UEM contains an observable response discrepancy vulnerability. A malicious actor may be able to enumerate sensitive information such as tenant ID and user accounts that could facilitate brute-force, password-spraying or credential-stuffing attacks.",
"id": "GHSA-hxj8-jjxp-p43w",
"modified": "2025-11-12T18:31:25Z",
"published": "2025-11-12T18:31:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-25236"
},
{
"type": "WEB",
"url": "https://static.omnissa.com/sites/default/files/OMSA-2025-0005.pdf"
},
{
"type": "WEB",
"url": "https://www.omnissa.com/omnissa-security-response"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-J2HG-VP99-659F
Vulnerability from github – Published: 2026-02-13 00:32 – Updated: 2026-02-13 00:32DokuWiki 2018-04-22b contains a username enumeration vulnerability in its password reset functionality that allows attackers to identify valid user accounts. Attackers can submit different usernames to the password reset endpoint and distinguish between existing and non-existing accounts by analyzing the server's error response messages.
{
"affected": [],
"aliases": [
"CVE-2019-25338"
],
"database_specific": {
"cwe_ids": [
"CWE-204"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-12T23:16:07Z",
"severity": "MODERATE"
},
"details": "DokuWiki 2018-04-22b contains a username enumeration vulnerability in its password reset functionality that allows attackers to identify valid user accounts. Attackers can submit different usernames to the password reset endpoint and distinguish between existing and non-existing accounts by analyzing the server\u0027s error response messages.",
"id": "GHSA-j2hg-vp99-659f",
"modified": "2026-02-13T00:32:52Z",
"published": "2026-02-13T00:32:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25338"
},
{
"type": "WEB",
"url": "https://download.dokuwiki.org"
},
{
"type": "WEB",
"url": "https://www.dokuwiki.org/dokuwiki"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/47731"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/dokuwiki-b-username-enumeration"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-J7F5-GFQM-PCX3
Vulnerability from github – Published: 2026-06-26 20:54 – Updated: 2026-06-26 20:54Summary
An unprotected user enumeration vulnerability exists in the account email update endpoint, allowing authenticated users to verify whether email addresses are registered on the panel through automated requests without rate limiting or CAPTCHA protection.
Details
The account settings page allows authenticated users to update their email address through a POST request. Unlike the login and password reset forms which implement reCAPTCHA and rate limiting protections, this endpoint lacks these safeguards entirely. An attacker can capture the email update request (for example, using Burp Suite's proxy) and modify the email field to test arbitrary addresses. The panel's response will confirm whether each tested email is already registered in the system. Because there are no rate limits implemented, attackers can send hundreds or thousands of requests to enumerate the user base.
This is concerning because:
- The login and password reset pages correctly implement protections against enumeration
- The account page has no reCAPTCHA option available
- No rate limiting exists in the panel for this endpoint
- Authentication is required, but any valid account (including free tier/trial accounts) can exploit this
PoC
- Log into the Pterodactyl panel with any valid account
- Navigate to Account Settings
- Open Burp Suite (or similar proxy tool) and configure your browser to proxy through it
- Attempt to change your email address and capture the POST request
- Send the captured request to Repeater
- Modify the email field to test different addresses (e.g., admin@example.com, test@example.com)
- Send multiple requests in rapid succession
- Observe the response messages which confirm whether each email exists or not
- Repeat indefinitely without encountering rate limits or CAPTCHA challenges
Impact
This is a user enumeration vulnerability (CWE-204: Observable Response Discrepancy).
Who is impacted:
- All Pterodactyl panel installations are affected
- Any registered user's email address can be discovered
- Particularly impacts administrators and high-value accounts
Potential consequences:
- Attackers can build a complete database of registered users
- Enumerated emails can be used for targeted phishing campaigns
- Combined with other attacks (credential stuffing, social engineering)
- Privacy violation for all users on the platform
- Competitive intelligence gathering (identifying which companies/individuals use specific panels)
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "pterodactyl/panel"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.12.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-204"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-26T20:54:38Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Summary\nAn unprotected user enumeration vulnerability exists in the account email update endpoint, allowing authenticated users to verify whether email addresses are registered on the panel through automated requests without rate limiting or CAPTCHA protection.\n\n### Details\nThe account settings page allows authenticated users to update their email address through a POST request. Unlike the login and password reset forms which implement reCAPTCHA and rate limiting protections, this endpoint lacks these safeguards entirely.\nAn attacker can capture the email update request (for example, using Burp Suite\u0027s proxy) and modify the email field to test arbitrary addresses. The panel\u0027s response will confirm whether each tested email is already registered in the system. Because there are no rate limits implemented, attackers can send hundreds or thousands of requests to enumerate the user base.\n\nThis is concerning because:\n\n- The login and password reset pages correctly implement protections against enumeration\n- The account page has no reCAPTCHA option available\n- No rate limiting exists in the panel for this endpoint\n- Authentication is required, but any valid account (including free tier/trial accounts) can exploit this\n\n### PoC\n- Log into the Pterodactyl panel with any valid account\n- Navigate to Account Settings\n- Open Burp Suite (or similar proxy tool) and configure your browser to proxy through it\n- Attempt to change your email address and capture the POST request\n- Send the captured request to Repeater\n- Modify the email field to test different addresses (e.g., admin@example.com, test@example.com)\n- Send multiple requests in rapid succession\n- Observe the response messages which confirm whether each email exists or not \n- Repeat indefinitely without encountering rate limits or CAPTCHA challenges\n\n\n### Impact\nThis is a user enumeration vulnerability (CWE-204: Observable Response Discrepancy).\n\nWho is impacted:\n\n- All Pterodactyl panel installations are affected\n- Any registered user\u0027s email address can be discovered\n- Particularly impacts administrators and high-value accounts\n\nPotential consequences:\n\n- Attackers can build a complete database of registered users\n- Enumerated emails can be used for targeted phishing campaigns\n- Combined with other attacks (credential stuffing, social engineering)\n- Privacy violation for all users on the platform\n- Competitive intelligence gathering (identifying which companies/individuals use specific panels)",
"id": "GHSA-j7f5-gfqm-pcx3",
"modified": "2026-06-26T20:54:38Z",
"published": "2026-06-26T20:54:38Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/pterodactyl/panel/security/advisories/GHSA-j7f5-gfqm-pcx3"
},
{
"type": "PACKAGE",
"url": "https://github.com/pterodactyl/panel"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "Pterodactyl Panel: Client email change endpoint allows enumeration of accounts in system"
}
GHSA-J7QG-8R9M-WXM8
Vulnerability from github – Published: 2022-08-24 00:00 – Updated: 2022-08-27 00:00All CODESYS Visualization versions before V4.2.0.0 generate a login dialog vulnerable to information exposure allowing a remote, unauthenticated attacker to enumerate valid users.
{
"affected": [],
"aliases": [
"CVE-2022-1989"
],
"database_specific": {
"cwe_ids": [
"CWE-203",
"CWE-204"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-08-23T10:15:00Z",
"severity": "MODERATE"
},
"details": "All CODESYS Visualization versions before V4.2.0.0 generate a login dialog vulnerable to information exposure allowing a remote, unauthenticated attacker to enumerate valid users.",
"id": "GHSA-j7qg-8r9m-wxm8",
"modified": "2022-08-27T00:00:49Z",
"published": "2022-08-24T00:00:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1989"
},
{
"type": "WEB",
"url": "https://customers.codesys.com/index.php?eID=dumpFile\u0026t=f\u0026f=17142\u0026token=a3696ab41fef800d2eaee8043d40d5fbe94277fd\u0026download="
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-JC64-QJC6-H5VP
Vulnerability from github – Published: 2025-03-28 15:31 – Updated: 2025-03-28 15:31User enumeration in the password reset module of the MeetMe authentication service in versions prior to 2024-09 allows an attacker to determine whether an email address is registered through specific error messages.
{
"affected": [],
"aliases": [
"CVE-2025-2910"
],
"database_specific": {
"cwe_ids": [
"CWE-204"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-28T13:15:41Z",
"severity": "MODERATE"
},
"details": "User enumeration in the password reset module of the MeetMe authentication service in versions prior to 2024-09 allows an attacker to determine whether an email address is registered through specific error messages.",
"id": "GHSA-jc64-qjc6-h5vp",
"modified": "2025-03-28T15:31:56Z",
"published": "2025-03-28T15:31:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2910"
},
{
"type": "WEB",
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-fermax-mobile-applications"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-JCVH-6RQ4-C7XR
Vulnerability from github – Published: 2022-06-23 00:00 – Updated: 2022-07-01 00:01A Observable Response Discrepancy vulnerability in spacewalk-java of SUSE Manager Server 4.1, SUSE Manager Server 4.2 allows remote attackers to discover valid usernames. This issue affects: SUSE Manager Server 4.1 spacewalk-java versions prior to 4.1.46-1. SUSE Manager Server 4.2 spacewalk-java versions prior to 4.2.37-1.
{
"affected": [],
"aliases": [
"CVE-2022-31248"
],
"database_specific": {
"cwe_ids": [
"CWE-204"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-06-22T10:15:00Z",
"severity": "MODERATE"
},
"details": "A Observable Response Discrepancy vulnerability in spacewalk-java of SUSE Manager Server 4.1, SUSE Manager Server 4.2 allows remote attackers to discover valid usernames. This issue affects: SUSE Manager Server 4.1 spacewalk-java versions prior to 4.1.46-1. SUSE Manager Server 4.2 spacewalk-java versions prior to 4.2.37-1.",
"id": "GHSA-jcvh-6rq4-c7xr",
"modified": "2022-07-01T00:01:15Z",
"published": "2022-06-23T00:00:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31248"
},
{
"type": "WEB",
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1199629"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-JGC6-C9V8-VFQW
Vulnerability from github – Published: 2024-07-01 18:32 – Updated: 2024-07-01 18:32In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312.109, an attacker could determine whether or not another user exists on the instance by deciphering the error response that they would likely receive from the instance when they attempt to log in. This disclosure could then lead to additional brute-force password-guessing attacks. This vulnerability would require that the Splunk platform instance uses the Security Assertion Markup Language (SAML) authentication scheme.
{
"affected": [],
"aliases": [
"CVE-2024-36996"
],
"database_specific": {
"cwe_ids": [
"CWE-203",
"CWE-204"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-01T17:15:08Z",
"severity": "MODERATE"
},
"details": "In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312.109, an attacker could determine whether or not another user exists on the instance by deciphering the error response that they would likely receive from the instance when they attempt to log in. This disclosure could then lead to additional brute-force password-guessing attacks. This vulnerability would require that the Splunk platform instance uses the Security Assertion Markup Language (SAML) authentication scheme.",
"id": "GHSA-jgc6-c9v8-vfqw",
"modified": "2024-07-01T18:32:41Z",
"published": "2024-07-01T18:32:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36996"
},
{
"type": "WEB",
"url": "https://advisory.splunk.com/advisories/SVD-2024-0716"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-JRMV-PJXX-F4C4
Vulnerability from github – Published: 2025-02-12 15:31 – Updated: 2025-02-12 15:31A CWE-204 "Observable Response Discrepancy" in the login page in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to enumerate valid usernames via crafted HTTP requests.
{
"affected": [],
"aliases": [
"CVE-2025-1101"
],
"database_specific": {
"cwe_ids": [
"CWE-204"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-12T14:15:31Z",
"severity": "MODERATE"
},
"details": "A CWE-204 \"Observable Response Discrepancy\" in the login page in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to enumerate valid usernames via crafted HTTP requests.",
"id": "GHSA-jrmv-pjxx-f4c4",
"modified": "2025-02-12T15:31:59Z",
"published": "2025-02-12T15:31:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1101"
},
{
"type": "WEB",
"url": "https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-1101"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-JV87-32HW-HH99
Vulnerability from github – Published: 2026-03-20 20:47 – Updated: 2026-03-27 21:59Impact
What kind of vulnerability is it? Who is impacted?
MinIO AIStor's STS (Security Token Service) AssumeRoleWithLDAPIdentity endpoint is vulnerable to LDAP credential brute-forcing due to two combined weaknesses: (1) distinguishable error responses that enable username enumeration, and (2) absence of rate limiting on authentication attempts. An unauthenticated network attacker can enumerate valid LDAP usernames and then perform unlimited password guessing to obtain temporary AWS-style STS credentials, gaining access to the victim's S3 buckets and objects.
All deployments with LDAP configured running an affected version are impacted.
There are two vulnerabilities:
- User Enumeration via Distinguishable Error Messages (CWE-204)
- Missing Rate Limiting on STS Authentication Endpoints (CWE-307)
When exploited together, an attacker can:
- Enumerate valid LDAP usernames by observing error message differences.
- Perform high-speed password brute-force attacks against confirmed valid users.
- Upon finding valid credentials, obtain temporary AWS-style STS credentials (
AccessKeyId,SecretAccessKey,SessionToken) with full access to the victim user's S3 resources.
Affected Versions
All MinIO releases through the final release of the minio/minio open-source project.
Patches
Fixed in: MinIO AIStor RELEASE.2026-03-17T21-25-16Z
Binary Downloads
| Platform | Architecture | Download |
|---|---|---|
| Linux | amd64 | minio |
| Linux | arm64 | minio |
| macOS | arm64 | minio |
| macOS | amd64 | minio |
| Windows | amd64 | minio.exe |
FIPS Binaries
| Platform | Architecture | Download |
|---|---|---|
| Linux | amd64 | minio.fips |
| Linux | arm64 | minio.fips |
Package Downloads
| Format | Architecture | Download |
|---|---|---|
| DEB | amd64 | minio_20260317212516.0.0_amd64.deb |
| DEB | arm64 | minio_20260317212516.0.0_arm64.deb |
| RPM | amd64 | minio-20260317212516.0.0-1.x86_64.rpm |
| RPM | arm64 | minio-20260317212516.0.0-1.aarch64.rpm |
Container Images
# Standard
docker pull quay.io/minio/aistor/minio:RELEASE.2026-03-17T21-25-16Z
podman pull quay.io/minio/aistor/minio:RELEASE.2026-03-17T21-25-16Z
# FIPS
docker pull quay.io/minio/aistor/minio:RELEASE.2026-03-17T21-25-16Z.fips
podman pull quay.io/minio/aistor/minio:RELEASE.2026-03-17T21-25-16Z.fips
Homebrew (macOS)
brew install minio/aistor/minio
Workarounds
If upgrading is not immediately possible:
- Network-level rate limiting: Use a reverse proxy (e.g., nginx, HAProxy) or WAF to rate-limit requests to the
/?Action=AssumeRoleWithLDAPIdentityendpoint. - Firewall restrictions: Restrict access to the STS endpoint to trusted networks/IP ranges only.
- LDAP account lockout: Configure account lockout policies on the LDAP server itself (e.g., Active Directory lockout threshold). Note: this protects against brute-force but not enumeration, and may cause denial-of-service for legitimate users.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/minio/minio"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.0.0-20260212201848-7aac2a2c5b7c"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-33419"
],
"database_specific": {
"cwe_ids": [
"CWE-204",
"CWE-307"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-20T20:47:54Z",
"nvd_published_at": "2026-03-24T20:16:29Z",
"severity": "CRITICAL"
},
"details": "### Impact\n_What kind of vulnerability is it? Who is impacted?_\n\nMinIO AIStor\u0027s STS (Security Token Service) `AssumeRoleWithLDAPIdentity` endpoint is vulnerable to LDAP credential brute-forcing due to two combined weaknesses: (1) distinguishable error responses that enable username enumeration, and (2) absence of rate limiting on authentication attempts. An unauthenticated network attacker can enumerate valid LDAP usernames and then perform unlimited password guessing to obtain temporary AWS-style STS credentials, gaining access to the victim\u0027s S3 buckets and objects.\n\nAll deployments with LDAP configured running an affected version are impacted.\n\nThere are two vulnerabilities:\n\n1. User Enumeration via Distinguishable Error Messages (CWE-204)\n2. Missing Rate Limiting on STS Authentication Endpoints (CWE-307)\n\nWhen exploited together, an attacker can:\n\n1. Enumerate valid LDAP usernames by observing error message differences.\n3. Perform high-speed password brute-force attacks against confirmed valid users.\n4. Upon finding valid credentials, obtain temporary AWS-style STS credentials (`AccessKeyId`, `SecretAccessKey`, `SessionToken`) with full access to the victim user\u0027s S3 resources.\n\n### Affected Versions\n\nAll MinIO releases through the final release of the minio/minio open-source project.\n\n### Patches\n\n**Fixed in**: MinIO AIStor RELEASE.2026-03-17T21-25-16Z\n\n#### Binary Downloads\n\n| Platform | Architecture | Download |\n| -------- | ------------ | --------------------------------------------------------------------------- |\n| Linux | amd64 | [minio](https://dl.min.io/aistor/minio/release/linux-amd64/minio) |\n| Linux | arm64 | [minio](https://dl.min.io/aistor/minio/release/linux-arm64/minio) |\n| macOS | arm64 | [minio](https://dl.min.io/aistor/minio/release/darwin-arm64/minio) |\n| macOS | amd64 | [minio](https://dl.min.io/aistor/minio/release/darwin-amd64/minio) |\n| Windows | amd64 | [minio.exe](https://dl.min.io/aistor/minio/release/windows-amd64/minio.exe) |\n\n#### FIPS Binaries\n\n| Platform | Architecture | Download |\n| -------- | ------------ | --------------------------------------------------------------------------- |\n| Linux | amd64 | [minio.fips](https://dl.min.io/aistor/minio/release/linux-amd64/minio.fips) |\n| Linux | arm64 | [minio.fips](https://dl.min.io/aistor/minio/release/linux-arm64/minio.fips) |\n\n#### Package Downloads\n\n| Format | Architecture | Download |\n| ------ | ------------ | ----------------------------------------------------------------------------------------------------------------------------------- |\n| DEB | amd64 | [minio_20260317212516.0.0_amd64.deb](https://dl.min.io/aistor/minio/release/linux-amd64/minio_20260317212516.0.0_amd64.deb) |\n| DEB | arm64 | [minio_20260317212516.0.0_arm64.deb](https://dl.min.io/aistor/minio/release/linux-arm64/minio_20260317212516.0.0_arm64.deb) |\n| RPM | amd64 | [minio-20260317212516.0.0-1.x86_64.rpm](https://dl.min.io/aistor/minio/release/linux-amd64/minio-20260317212516.0.0-1.x86_64.rpm) |\n| RPM | arm64 | [minio-20260317212516.0.0-1.aarch64.rpm](https://dl.min.io/aistor/minio/release/linux-arm64/minio-20260317212516.0.0-1.aarch64.rpm) |\n\n#### Container Images\n\n```bash\n# Standard\ndocker pull quay.io/minio/aistor/minio:RELEASE.2026-03-17T21-25-16Z\npodman pull quay.io/minio/aistor/minio:RELEASE.2026-03-17T21-25-16Z\n\n# FIPS\ndocker pull quay.io/minio/aistor/minio:RELEASE.2026-03-17T21-25-16Z.fips\npodman pull quay.io/minio/aistor/minio:RELEASE.2026-03-17T21-25-16Z.fips\n```\n\n#### Homebrew (macOS)\n\n```bash\nbrew install minio/aistor/minio\n```\n \n\n### Workarounds\n\n- [Users of the open-source `minio/minio` project should upgrade to MinIO AIStor `RELEASE.2026-03-17T21-25-16Z` or later.](https://docs.min.io/enterprise/aistor-object-store/upgrade-aistor-server/community-edition/)\n\nIf upgrading is not immediately possible:\n\n- **Network-level rate limiting**: Use a reverse proxy (e.g., nginx, HAProxy) or WAF to rate-limit requests to the `/?Action=AssumeRoleWithLDAPIdentity` endpoint.\n- **Firewall restrictions**: Restrict access to the STS endpoint to trusted networks/IP ranges only.\n- **LDAP account lockout**: Configure account lockout policies on the LDAP server itself (e.g., Active Directory lockout threshold). Note: this protects against brute-force but not enumeration, and may cause denial-of-service for legitimate users.",
"id": "GHSA-jv87-32hw-hh99",
"modified": "2026-03-27T21:59:08Z",
"published": "2026-03-20T20:47:54Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/minio/minio/security/advisories/GHSA-jv87-32hw-hh99"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33419"
},
{
"type": "PACKAGE",
"url": "https://github.com/minio/minio"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "MinIO LDAP login brute-force via user enumeration and missing rate limit"
}
GHSA-JVFW-53C8-P9QG
Vulnerability from github – Published: 2024-11-15 18:30 – Updated: 2024-11-15 18:30A vulnerability in the web-based management interface of Cisco ECE could allow an unauthenticated, remote attacker to perform a username enumeration attack against an affected device.
This vulnerability is due to differences in authentication responses that are sent back from the application as part of an authentication attempt. An attacker could exploit this vulnerability by sending authentication requests to an affected device. A successful exploit could allow the attacker to confirm existing user accounts, which could be used in further attacks. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2022-20633"
],
"database_specific": {
"cwe_ids": [
"CWE-204"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-15T17:15:10Z",
"severity": "MODERATE"
},
"details": "A vulnerability in the web-based management interface of Cisco\u0026nbsp;ECE could allow an unauthenticated, remote attacker to perform a username enumeration attack against an affected device.\n\nThis vulnerability is due to differences in authentication responses that are sent back from the application as part of an authentication attempt. An attacker could exploit this vulnerability by sending authentication requests to an affected device. A successful exploit could allow the attacker to confirm existing user accounts, which could be used in further attacks.\nCisco\u0026nbsp;has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.",
"id": "GHSA-jvfw-53c8-p9qg",
"modified": "2024-11-15T18:30:51Z",
"published": "2024-11-15T18:30:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-20633"
},
{
"type": "WEB",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ece-multivulns-kbK2yVhR"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-46
Strategy: Separation of Privilege
- Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.
- Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.
Mitigation MIT-39
- Ensure that error messages only contain minimal details that are useful to the intended audience and no one else. The messages need to strike the balance between being too cryptic (which can confuse users) or being too detailed (which may reveal more than intended). The messages should not reveal the methods that were used to determine the error. Attackers can use detailed information to refine or optimize their original attack, thereby increasing their chances of success.
- If errors must be captured in some detail, record them in log messages, but consider what could occur if the log messages can be viewed by attackers. Highly sensitive information such as passwords should never be saved to log files.
- Avoid inconsistent messaging that might accidentally tip off an attacker about internal state, such as whether a user account exists or not.
CAPEC-331: ICMP IP Total Length Field Probe
An adversary sends a UDP packet to a closed port on the target machine to solicit an IP Header's total length field value within the echoed 'Port Unreachable" error message. This type of behavior is useful for building a signature-base of operating system responses, particularly when error messages contain other types of information that is useful identifying specific operating system responses.
CAPEC-332: ICMP IP 'ID' Field Error Message Probe
An adversary sends a UDP datagram having an assigned value to its internet identification field (ID) to a closed port on a target to observe the manner in which this bit is echoed back in the ICMP error message. This allows the attacker to construct a fingerprint of specific OS behaviors.
CAPEC-541: Application Fingerprinting
An adversary engages in fingerprinting activities to determine the type or version of an application installed on a remote target.
CAPEC-580: System Footprinting
An adversary engages in active probing and exploration activities to determine security information about a remote target system. Often times adversaries will rely on remote applications that can be probed for system configurations.