Observable Response Discrepancy in Kirby - CVE-2022-39315
Published: October 18, 2022 / Updated: April 23, 2026
Vulnerability identifier: #VU127187
CSH Severity: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2022-39315
CWE-ID: CWE-204
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Kirby
Kirby
Software vendor:
Ian Stewart
Ian Stewart
Description
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to observable response discrepancy in brute force protection when handling login requests beyond the failed-attempt limit. A remote attacker can send crafted login requests from two or more IP addresses to disclose sensitive information.
This issue can be used to confirm whether specific users are registered, which makes it primarily relevant for targeted attacks. Sites are affected when user accounts are present and the API or Panel is enabled.
Remediation
Install security update from vendor's website.