CVE-2022-36105

Name of the Vulnerable Software and Affected Versions TYPO3 versions prior to 7.6.58 ELTS TYPO3 versions prior to 8.7.48 ELTS TYPO3 versions prior to 9.5.37 ELTS TYPO3 versions prior to 10.4.32 TYPO3 versions prior to 11.5.16

Description It has been discovered that observing response time during user authentication can be used to distinguish between existing and non-existing user accounts. Extension authors of 3rd party TYPO3 extensions providing a custom authentication service should check if the extension is affected by this problem. Affected extensions must implement new MimicServiceInterface::mimicAuthUser, which simulates corresponding times regular processing would usually take.

Recommendations Update to TYPO3 version 7.6.58 ELTS to fix this problem. Update to TYPO3 version 8.7.48 ELTS to fix this problem. Update to TYPO3 version 9.5.37 ELTS to fix this problem. Update to TYPO3 version 10.4.32 to fix this problem. Update to TYPO3 version 11.5.16 to fix this problem. As a temporary workaround, consider implementing the MimicServiceInterface::mimicAuthUser in affected extensions to simulate corresponding times regular processing would usually take.