Bug 1020745 - (CVE-2017-5537) VUL-1: CVE-2017-5537: weblate: information disclosure in password reset form
VUL-1: CVE-2017-5537: weblate: information disclosure in password reset form
Classification: openSUSE
Product: openSUSE.org
Classification: openSUSE
Component: Infrastructure
Other Other
: P4 - Low : Minor (vote)
: ---
Assigned To: Security Team bot
Lars Vogdt
Depends on:
  Show dependency treegraph
Reported: 2017-01-18 22:40 UTC by Mikhail Kasimov
Modified: 2017-10-26 05:49 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Mikhail Kasimov 2017-01-18 22:40:13 UTC
Ref: http://seclists.org/oss-sec/2017/q1/135
Weblate contains an information disclosure issue in it's password reset
form. When entering an arbitrary email address in the password reset
form Weblate will report back "User with this email address was not
found." this makes it possible to figure out which user accounts exist
on the weblate instance.

Affected: weblate 2.10 and earlier.

Upstream patch:

Bug report:


M17N:l10n.opensuse.org 2.6
M17N:l10n.opensuse.org 2.8

Unsupported distros:
M17N:l10n.opensuse.org 2.5
M17N:l10n.opensuse.org 2.8

Other versions are in home: repos, which are not under official support.
Comment 1 Swamp Workflow Management 2017-01-18 23:01:25 UTC
bugbot adjusting priority
Comment 2 Andreas Stieger 2017-01-19 10:04:42 UTC
I see that the deployment on https://l10n.opensuse.org/ runs SSO integration, so this would only affect the vanilla package.
Comment 4 Marcus Meissner 2017-10-26 05:49:09 UTC