Search for vulnerabilities
| Vulnerability ID | VCID-rvwv-6px9-xfdq |
| Aliases |
GHSA-2frx-j9hj-6c65
GMS-2021-53 |
| Summary | User enumeration in authentication mechanisms Description ----------- The ability to enumerate users was possible without relevant permissions due to different exception messages depending on whether the user existed or not. Resolution ---------- We now ensure that a generic message is returned whether the user exists or not if the password is invalid or if the user does not exist. The patch for this issue is available [here](https://github.com/lexik/LexikJWTAuthenticationBundle/commit/a175d6dab968d93e96a3e4f80c495435f71d5eb7) for branch 2.10.x and 2.x. Credits ------- I would like to thank James Isaac and Mathias Brodala for reporting the issue and Robin Chalas for fixing the issue. |
| Status | Published |
| Exploitability | 0.5 |
| Weighted Severity | 2.7 |
| Risk | 1.4 |
| Affected and Fixed Packages | Package Details |
| System | Score | Found at |
|---|---|---|
| cvssv3.1_qr | LOW | https://github.com/advisories/GHSA-2frx-j9hj-6c65 |
| generic_textual | LOW | https://github.com/lexik/LexikJWTAuthenticationBundle |
| generic_textual | LOW | https://github.com/lexik/LexikJWTAuthenticationBundle/commit/a175d6dab968d93e96a3e4f80c495435f71d5eb7 |
| cvssv3.1_qr | LOW | https://github.com/lexik/LexikJWTAuthenticationBundle/security/advisories/GHSA-2frx-j9hj-6c65 |
| generic_textual | LOW | https://github.com/lexik/LexikJWTAuthenticationBundle/security/advisories/GHSA-2frx-j9hj-6c65 |
No EPSS data available for this vulnerability.
| Date | Actor | Action | Source | VulnerableCode Version |
|---|---|---|---|---|
| 2026-06-12T08:08:04.564888+00:00 | GithubOSV Importer | Import | https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-2frx-j9hj-6c65/GHSA-2frx-j9hj-6c65.json | 38.6.0 |