A timing-based username enumeration vulnerability has been identified in Fides Webserver authentication. This vulnerability allows an unauthenticated attacker to determine the existence of valid usernames by analyzing the time it takes for the server to respond to login requests. The discrepancy in response times between valid and invalid usernames can be leveraged to enumerate users on the system. Impact This vulnerability enables a timing-based username enumeration attack. An attacker can systematically guess and verify which usernames are valid by measuring the server's response time to authentication requests. This information can be used to conduct further attacks on authentication such as password brute-forcing and credential stuffing. Patches The vulnerability has been patched in Fides version 2.44.0. Users are advised to upgrade to this version or later to secure their systems against this threat. Workarounds There are no workarounds. Proof of Concept Create a valid user called valid_user on a remote Fides server. Ensure that there is no user on the server named invalid_user. Note that this vulnerability is not reproducible on a local deployment due to the extremely low latency of responses to login requests. In a terminal run export LOGIN_URL='https://example.com/api/v1/login', replacing example.com with your remote Fides server's domain or IP address. In the same terminal run exploit-poc.sh (detailed below). It's possible to distinguish between valid and invalid…Read More