Observable Response Discrepancy in Kirby - CVE-2022-39315

 

Observable Response Discrepancy in Kirby - CVE-2022-39315

Published: October 18, 2022 / Updated: April 23, 2026


Vulnerability identifier: #VU127187
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2022-39315
CWE-ID: CWE-204
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Ian Stewart
Affected software:
Kirby

Detailed vulnerability description

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to observable response discrepancy in brute force protection when handling login requests beyond the failed-attempt limit. A remote attacker can send crafted login requests from two or more IP addresses to disclose sensitive information.

This issue can be used to confirm whether specific users are registered, which makes it primarily relevant for targeted attacks. Sites are affected when user accounts are present and the API or Panel is enabled.


How to mitigate CVE-2022-39315

Install security update from vendor's website.

Sources