Bug 1020745 - (CVE-2017-5537) VUL-1: CVE-2017-5537: weblate: information disclosure in password reset form
(CVE-2017-5537)
VUL-1: CVE-2017-5537: weblate: information disclosure in password reset form
Status: RESOLVED FIXED
Classification: openSUSE
Product: openSUSE.org
Classification: openSUSE
Component: Infrastructure
unspecified
Other Other
: P4 - Low : Minor (vote)
: ---
Assigned To: Security Team bot
Lars Vogdt
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-01-18 22:40 UTC by Mikhail Kasimov
Modified: 2017-10-26 05:49 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Mikhail Kasimov 2017-01-18 22:40:13 UTC
Ref: http://seclists.org/oss-sec/2017/q1/135
==============================================
Weblate contains an information disclosure issue in it's password reset
form. When entering an arbitrary email address in the password reset
form Weblate will report back "User with this email address was not
found." this makes it possible to figure out which user accounts exist
on the weblate instance.

Affected: weblate 2.10 and earlier.

Upstream patch:
https://github.com/WeblateOrg/weblate/commit/abe0d2a29a1d8e896bfe829c8461bf8b391f1079

Bug report:
https://github.com/WeblateOrg/weblate/issues/1317
==============================================

https://software.opensuse.org/package/weblate

SLE12: 
M17N:l10n.opensuse.org 2.6
M17N:l10n.opensuse.org 2.8

Unsupported distros:
M17N:l10n.opensuse.org 2.5
M17N:l10n.opensuse.org 2.8

Other versions are in home: repos, which are not under official support.
Comment 1 Swamp Workflow Management 2017-01-18 23:01:25 UTC
bugbot adjusting priority
Comment 2 Andreas Stieger 2017-01-19 10:04:42 UTC
I see that the deployment on https://l10n.opensuse.org/ runs SSO integration, so this would only affect the vanilla package.
Comment 4 Marcus Meissner 2017-10-26 05:49:09 UTC
fixed