PT-2025-27944 · Ergon Informatik Ag · Airlock Iam
Published
2025-07-04
·
Updated
2025-07-04
·
CVE-2025-6056
CVSS v4.0
6.9
Medium
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions:
Ergon Informatik AG's Airlock IAM versions 7.7.9 through 8.3.1
Description:
The issue is related to a timing difference in the password reset functionality, allowing unauthenticated attackers to enumerate usernames.
Recommendations:
For versions 7.7.9 through 8.3.1, consider restricting access to the password reset functionality to prevent username enumeration until a patch is available.
As a temporary workaround, limit the rate of password reset attempts to minimize the risk of exploitation.
Avoid using the password reset feature for sensitive accounts until the issue is resolved.
At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Side Channel Attack
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Airlock Iam