CVE-2024-54002

Name of the Vulnerable Software and Affected Versions: Dependency-Track versions prior to 4.12.2

Description: The issue allows actors to enumerate valid names of managed users by leveraging the observable difference in request duration when performing a login request against the "/api/v1/user/login" endpoint with a username that exists in the system versus one that does not. This can be done by measuring the time it takes to process a login request with an existing username versus a non-existing one. LDAP and OpenID Connect users are not affected.

Recommendations: For versions prior to 4.12.2, update to Dependency-Track 4.12.2 to resolve the issue. As a temporary workaround, consider restricting access to the "/api/v1/user/login" endpoint to minimize the risk of exploitation. Avoid using this endpoint for login requests until the issue is resolved.