Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-zvar-nu8h-8qd8
Vulnerability ID VCID-zvar-nu8h-8qd8
Aliases CVE-2024-24770
GHSA-5h3x-6gwf-73jm
Summary vantage6 vulnerable to a username timing attack on recover password/MFA token ### Impact Much like https://github.com/vantage6/vantage6/security/advisories/GHSA-45gq-q4xh-cp53, it is possible to find which usernames exist in vantage6 by calling the API routes `/recover/lost` and `/2fa/lost`, which send emails to users if they have lost their password or MFA token. Usernames can be found by assessing response time differences, and additionally, they can be found because the endpoint gives a response "Failed to login" if the username exists. ### Patches No ### Workarounds No
Status Published
Exploitability None
Weighted Severity None
Risk None
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-208 Observable Timing Discrepancy
CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
There are no known severity scores.
Reference id Reference type URL
https://github.com/vantage6/vantage6
https://github.com/vantage6/vantage6/commit/aecfd6d0e83165a41a60ebd52d2287b0217be26b
CVE-2024-24770 https://nvd.nist.gov/vuln/detail/CVE-2024-24770
GHSA-5h3x-6gwf-73jm https://github.com/advisories/GHSA-5h3x-6gwf-73jm
GHSA-5h3x-6gwf-73jm https://github.com/vantage6/vantage6/security/advisories/GHSA-5h3x-6gwf-73jm
No exploits are available.
There are no known vectors.

No EPSS data available for this vulnerability.

Date Actor Action Source VulnerableCode Version
2026-06-02T04:47:22.949155+00:00 GitLab Importer Import https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/vantage6/CVE-2024-24770.yml 38.6.0