Source: request-tracker
Version: 4.4.4+dfsg-3
Severity: important

Per https://docs.bestpractical.com/release-notes/rt/4.4.5:

Security

* In previous versions, RT's native login system is vulnerable to user 
enumeration
through a timing side-channel attack. This means an external entity could try to
find valid usernames by attempting logins and comparing the time to evaluate 
each
login attempt for valid and invalid usernames. This vulnerability does not 
allow any
access to the RT system. This vulnerability is assigned CVE-2021-38562 and is 
fixed
in this release.

Reply via email to