CVE-2024-28232: 
vulnerability analysis and mitigation

The CasaOS-UserService package, which provides user management functionalities to CasaOS, contains a username enumeration vulnerability in the login page. The vulnerability was initially patched in version 0.4.7, but a bypass was discovered and subsequently patched in version 0.4.8. The issue was disclosed on April 1, 2024, and assigned CVE-2024-28232 (GitHub Advisory).

The vulnerability is classified as CWE-204 (Observable Response Discrepancy) with a CVSS v3.1 base score of 6.2 (Medium). The issue manifests through different error responses during the login process: when an invalid username is provided, the application returns a specific error code (10006) with the message 'User does not exist', while an invalid password returns a different error code (10013) with the message 'User does not exist or password is invalid'. This discrepancy in response messages allows for username enumeration (GitHub Advisory, NVD).

The vulnerability allows attackers to enumerate valid usernames in the CasaOS system. This information can be leveraged to conduct further attacks such as password brute-forcing or credential stuffing attacks against known valid accounts (GitHub Advisory).

The recommended mitigation is to upgrade to CasaOS-UserService version 0.4.8 or later. The fix implements a unified error message ('Username/Password is Incorrect!!!') with a single error code, regardless of whether the username or password is incorrect, thus preventing username enumeration (GitHub Advisory).