CVE-2025-1396
LOWDescription
A username enumeration vulnerability exists in multiple WSO2 products when Multi-Attribute Login is enabled. In this configuration, the system returns a distinct "User does not exist" error message to the login form, regardless of the validate_username setting. This behavior allows malicious actors to determine which usernames exist in the system based on observable discrepancies in the application's responses. Exploitation of this vulnerability could aid in brute-force attacks, targeted phishing campaigns, or other social engineering techniques by confirming the validity of user identifiers within the system.
CVSS v3.1 Score
Weakness Type (CWE)
Affected Products
| Vendor | Product |
|---|---|
| wso2 | identity_server |
| wso2 | identity_server |
| wso2 | identity_server |
| wso2 | identity_server |
| wso2 | identity_server_as_key_manager |
| wso2 | open_banking_iam |
References
Frequently Asked Questions
What is CVE-2025-1396? +
How severe is CVE-2025-1396? +
What products are affected by CVE-2025-1396? +
How do I check if I'm vulnerable to CVE-2025-1396? +
Related Vulnerabilities
A specific authentication strategy allows to learn ids of PAM users associated with certain authentication types.
Post-Quantum Secure Feldman's Verifiable Secret Sharing provides a Python implementation of Feldman's Verifiable Secret Sharing (VSS) scheme. In versions 0.8.0b2 …
Helix ALM prior to 2025.1 returns distinct error responses during authentication, allowing an attacker to determine whether a username exists.
Timing difference in password reset in Ergon Informatik AG's Airlock IAM 7.7.9, 8.0.8, 8.1.7, 8.2.4 and 8.3.1 allows unauthenticated attackers …
Multiple constant-time implementations in wolfSSL before version 5.8.4 may be transformed into non-constant-time binary by LLVM optimizations, which can potentially …
darkhttpd before 1.15 uses strcmp (which is not constant time) to verify authentication, which makes it easier for remote attackers …