Vulnerabilities > CVE-2020-25200 - Information Exposure Through Discrepancy vulnerability in Pritunl 1.29.2145.25

047910
CVSS 5.3 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
LOW
Integrity impact
NONE
Availability impact
NONE
network
low complexity
pritunl
CWE-203

Summary

Pritunl 1.29.2145.25 allows attackers to enumerate valid VPN usernames via a series of /auth/session login attempts. Initially, the server will return error 401. However, if the username is valid, then after 20 login attempts, the server will start responding with error 400. Invalid usernames will receive error 401 indefinitely. Note: This has been disputed by the vendor as not a vulnerability. They argue that this is an intended design

Vulnerable Configurations

Part Description Count
Application
Pritunl
1

Common Weakness Enumeration (CWE)