It started as “bring password hashing inline with industry best practices” and two weeks later ended as “BaseUser.login implementation is vulnerable to time based user enumeration”. So here’s how a PR to bring a package inline with security best practices lead to a CVE.

Recently I moved, and am still in the processing of moving my websites to an ORM called Piccolo which provides a nice database layer, batteries included approach to working with FastAPI while allowing me; a former Django developer; the ability to easily build data driven platforms without the need to write SQL.

Given my day job and the joy I get finding security vulnerabilities in products, naturally I ended up investing some time investigating the platform I intended on using for quite a few websites. Initially, I noted that the underlying password hashing implementation did not meet industry best practices and subsequently raised a pull request. However, as a result of fixing this issue and the testing surrounding the fix I noted some timing discrepancies within the authentication flow.

I have discussed time based user enumeration before and the vulnerability category is one I take great interest in from both an analysis and exploitation vector. So, as one does, I conducted further testing and discovered the ability to reliably enumerate users based on response times. Woo!

Now, GitHub features the ability to report security issues directly to project owners if they have setup a security policy. As Piccolo had a security policy setup for their repositories, I was able to directly report the issue, have discussions surrounding fixes and receive a CVE with little to no hassle. After completing the disclosure and helping work on a fix, GitHub assigned CVE-2023-41885 to the issue with a CVSS 3.x severity of 5.3 MEDIUM. My first solo CVE and the timeline from disclosure to CVE took just over half a week and resulted in a CVSS ranking of medium? Now that’s an experience.

I’ve honestly thoroughly enjoyed the process surrounding my first solo CVE and you can read more on the advisory itself here.