Main Vulnerability Database Vulnerabilities #VU127085

#VU127085 Observable discrepancy in dependency-track - CVE-2024-54002

Published: December 4, 2024 / Updated: April 23, 2026

Vulnerability identifier: #VU127085

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2024-54002

CWE-ID: CWE-203

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
dependency-track

Software vendor:
DependencyTrack

Description

The vulnerability allows a remote attacker to enumerate valid managed usernames.

The vulnerability exists due to observable discrepancy in /api/v1/user/login endpoint when handling login requests. A remote attacker can send repeated login requests with different usernames to enumerate valid managed usernames.

LDAP and OpenID Connect users are not affected.

Remediation

Install security update from vendor's website.

External links

https://github.com/DependencyTrack/dependency-track/security/advisories/GHSA-9w3m-hm36-w32w
https://github.com/advisories/GHSA-9w3m-hm36-w32w

#VU127085 Observable discrepancy in dependency-track - CVE-2024-54002

Description

Remediation

External links

Please verify you're human