Miggo Logo
Book a Demo
Miggo Vulnerability Database
CVE-2023-39343

CVE-2023-39343:
Sulu Observable Response Discrepancy on Admin Login

4.3

CVSS Score

Basic Information

CVE ID
CVE-2023-39343
GHSA ID
GHSA-wmwf-49vv-p3mr
EPSS Score
-
CWE
CWE-204
Published
8/3/2023
Updated
11/10/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
sulu/sulucomposer>= 2.5.0, < 2.5.102.5.10

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from returning raw exception messages in authentication failures. The patch changes $exception->getMessage() to $exception->getMessageKey() to prevent user enumeration. The modified line in AuthenticationHandler.php's onAuthenticationFailure method directly matches the described attack vector and the provided workaround. The removal of user-specific error messages in JSON responses addresses CWE-204 by eliminating observable discrepancies between valid and invalid account responses.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t It *llows ov*r t** **min Lo*in *orm to **t**t w*i** us*r (us*rn*m*, *m*il) *xists *n* w*i** on* *o not *xist. Imp**t** *y t*is issu* *r* Sulu inst*ll*tion >= *.*.* *n* <*.*.** usin* t** n*w*r Sym*ony S**urity Syst*m w*i** is ****ult sin*

Reasoning

T** vuln*r**ility st*ms *rom r*turnin* r*w *x**ption m*ss***s in *ut**nti**tion **ilur*s. T** p*t** ***n**s $*x**ption->**tM*ss***() to $*x**ption->**tM*ss***K*y() to pr*v*nt us*r *num*r*tion. T** mo*i*i** lin* in *ut**nti**tion**n*l*r.p*p's on*ut**n