Short Description
User enumeration based on service times
Reporting Date
- August 2022
Details
During the login request, the user receives information from the backend system about the processing time of the request.
This information, recognizable in the HTTP header x-envoy-upstream-service-time can be used to detect whether the login request is valid user in the system.
Impact
Low
References
❤ Thanks to
Simon Reinhart for reporting the vulnerability.
Short Description
User enumeration based on service times
Reporting Date
Details
During the login request, the user receives information from the backend system about the processing time of the request.
This information, recognizable in the HTTP header
x-envoy-upstream-service-timecan be used to detect whether the login request is valid user in the system.Impact
Low
References
❤ Thanks to
Simon Reinhart for reporting the vulnerability.