Vulnerabilities > CVE-2020-25200 - Information Exposure Through Discrepancy vulnerability in Pritunl 1.29.2145.25

CVSS 5.3 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

LOW

Integrity impact

NONE

Availability impact

NONE

network

low complexity

pritunl

CWE-203

NVD

Published: 2020-10-01

Updated: 2024-08-04

Summary

Pritunl 1.29.2145.25 allows attackers to enumerate valid VPN usernames via a series of /auth/session login attempts. Initially, the server will return error 401. However, if the username is valid, then after 20 login attempts, the server will start responding with error 400. Invalid usernames will receive error 401 indefinitely. Note: This has been disputed by the vendor as not a vulnerability. They argue that this is an intended design

Vulnerable Configurations

Part	Description	Count
Application	Pritunl Pritunl Pritunl 1.29.2145.25	1

Common Weakness Enumeration (CWE)

CWE-203 - Information Exposure Through Discrepancy

References

https://github.com/lukaszstu/pritunl/blob/master/CVE-2020-25200
https://pritunl.com/security
https://pritunl.com