Description
Rejetto HFS 3.0.0 through 3.2.0 returns observably different responses from its login endpoint depending on whether the submitted username exists. A remote unauthenticated attacker can use this to confirm valid account names, including the default admin account, facilitating password-guessing and session-forgery attacks.
Problem types
Observable Response Discrepancy
Product status
3.0.0 (semver) before 3.2.1
Credits
Zach Hanley (@hacks_zach) of Horizon3.ai, in collaboration with Claude and Anthropic Research
References
github.com/rejetto/hfs/releases/tag/v3.2.1 (hfs v3.2.1 Release Notes)
www.vulncheck.com/...meration-via-login-response-differences