- Component Type: TYPO3 CMS
- Subcomponent: User Authentication (ext:core)
- Release Date: September 13, 2022
- Vulnerability Type: Information Disclosure
- Affected Versions: 7.0.0-7.6.57, 8.0.0-8.7.47, 9.0.0-9.5.36, 10.0.0-10.4.31, 11.0.0-11.5.15
- Severity: Medium
- Suggested CVSS: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:F/RL:O/RC:C
- References: CVE-2022-36105, CWE-208
It has been discovered that observing response time during user authentication (backend and frontend) can be used to distinguish between existing and non-existing user accounts.
Update to TYPO3 version 7.6.58 ELTS, 8.7.48 ELTS, 9.5.37 ELTS, 10.4.32 or 11.5.16 that fix the problem described above.
Extension authors of 3rd party TYPO3 extensions providing a custom authentication service should check if the extension is affected by the described problem. Affected extensions must implement new MimicServiceInterface::mimicAuthUser, which simulates corresponding times regular processing would usually take.
Thanks to Vautia who reported this issue and to TYPO3 core & security team members Oliver Hader who fixed the issue.
All security related code changes are tagged so that you can easily look them up in our review system.