Moderate severityNVD Advisory· Published Mar 12, 2023· Updated Mar 5, 2025

CVE-2021-46876

Description

An issue was discovered in eZ Publish Ibexa Kernel before 7.5.15.1. The /user/sessions endpoint can be abused to determine account existence.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

eZ Publish Ibexa Kernel before 7.5.15.1 leaks user existence via the /user/sessions endpoint, allowing enumeration by unauthenticated attackers.

An issue was discovered in eZ Publish Ibexa Kernel before version 7.5.15.1, where the /user/sessions endpoint could be abused to determine if a given account exists on the system [1][3]. The root cause is that the REST authentication handler did not introduce artificial delays when processing login attempts. As a result, the response time for a valid username versus an invalid one could differ, enabling a timing side-channel attack to enumerate valid user accounts [4].

To exploit this vulnerability, an unauthenticated attacker sends login requests to the /user/sessions REST endpoint with different usernames. By measuring the response times, the attacker can infer which usernames correspond to existing accounts because the server takes different amounts of time to process requests depending on whether the user exists [4]. No authentication is required to access this endpoint, making it a low-complexity enumeration vector.

The impact is the exposure of valid usernames registered on the platform. This information can be used as a stepping stone for further attacks, such as targeted password spraying or phishing campaigns against identified accounts. The CVSS score reflects a medium severity issue due to the low attack complexity and the fact that only account existence is disclosed, not credentials or other sensitive data [3].

The vulnerability has been patched in eZ Publish Ibexa Kernel version 7.5.15.1. The fix introduces configurable minimum and maximum delay times (default 30,000 and 500,000 microseconds respectively) added to the authentication response, normalizing timing differences that could leak account existence [4]. Administrators should update to the patched version or apply the provided workarounds to mitigate the enumeration risk.

References

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
ezsystems/ezpublish-kernelPackagist	>= 6.13.0, < 6.13.8.1	6.13.8.1
ezsystems/ezpublish-kernelPackagist	>= 7.5.0, < 7.5.15.1	7.5.15.1

Affected products

eZ Publish/Ibexa Kerneldescription
ezsystems/eZ Publish Ibexa Kernelllm-create
Range: <7.5.15.1
ghsa-coords
pkg:composer/ezsystems/ezpublish-kernel
Range: >= 6.13.0, < 6.13.8.1

Patches

b496f073c3f0

Merge pull request from GHSA-gmrf-99gw-vvwj

https://github.com/ezsystems/ezpublish-kernelGunnstein LyeMar 9, 2021via ghsa

commit

4 files changed · +28 −2

eZ/Bundle/EzPublishRestBundle/Resources/config/default_settings.yml+4 −0 modified

@@ -84,3 +84,7 @@ parameters:
         refreshSession:
             mediaType: 'UserSession'
             href: 'templateRouter.generate("ezpublish_rest_refreshSession", {sessionId: "{sessionId}"})'
+
+    # Boundary times in microseconds which the authentication check will be delayed by.
+    ezpublish_rest.authentication_min_delay_time: 30000
+    ezpublish_rest.authentication_max_delay_time: 500000
\ No newline at end of file

eZ/Bundle/EzPublishRestBundle/Resources/config/security.yml+2 −0 modified

@@ -15,6 +15,8 @@ services:
             - "@ezpublish.config.resolver"
             - "@session.storage"
             - "@?logger"
+            - "%ezpublish_rest.authentication_min_delay_time%"
+            - "%ezpublish_rest.authentication_max_delay_time%"
         abstract: true
 
     ezpublish_rest.security.authentication.logout_handler:

eZ/Publish/Core/REST/Server/Controller/SessionController.php+1 −1 modified

@@ -59,7 +59,7 @@ public function createSessionAction(Request $request)
             )
         );
         $request->attributes->set('username', $sessionInput->login);
-        $request->attributes->set('password', $sessionInput->password);
+        $request->attributes->set('password', (string) $sessionInput->password);
 
         try {
             $session = $request->getSession();

eZ/Publish/Core/REST/Server/Security/RestAuthenticator.php+21 −1 modified

@@ -36,6 +36,10 @@
  */
 class RestAuthenticator implements ListenerInterface, AuthenticatorInterface
 {
+    const DEFAULT_MIN_SLEEP_VALUE = 30000;
+
+    const DEFAULT_MAX_SLEEP_VALUE = 500000;
+
     /** @var \Psr\Log\LoggerInterface */
     private $logger;
 
@@ -59,14 +63,26 @@ class RestAuthenticator implements ListenerInterface, AuthenticatorInterface
     /** @var \Symfony\Component\Security\Http\Logout\LogoutHandlerInterface[] */
     private $logoutHandlers = [];
 
+    /**
+     * @var int|null
+     */
+    private $minSleepTime;
+
+    /**
+     * @var int|null
+     */
+    private $maxSleepTime;
+
     public function __construct(
         TokenStorageInterface $tokenStorage,
         AuthenticationManagerInterface $authenticationManager,
         $providerKey,
         EventDispatcherInterface $dispatcher,
         ConfigResolverInterface $configResolver,
         SessionStorageInterface $sessionStorage,
-        LoggerInterface $logger = null
+        LoggerInterface $logger = null,
+        $minSleepTime = self::DEFAULT_MIN_SLEEP_VALUE,
+        $maxSleepTime = self::DEFAULT_MAX_SLEEP_VALUE
     ) {
         $this->tokenStorage = $tokenStorage;
         $this->authenticationManager = $authenticationManager;
@@ -75,6 +91,8 @@ public function __construct(
         $this->configResolver = $configResolver;
         $this->sessionStorage = $sessionStorage;
         $this->logger = $logger;
+        $this->minSleepTime = !is_int($minSleepTime) ? self::DEFAULT_MIN_SLEEP_VALUE : $minSleepTime;
+        $this->maxSleepTime = !is_int($maxSleepTime) ? self::DEFAULT_MAX_SLEEP_VALUE : $maxSleepTime;
     }
 
     /**
@@ -89,6 +107,8 @@ public function handle(GetResponseEvent $event)
 
     public function authenticate(Request $request)
     {
+        usleep(random_int($this->minSleepTime, $this->maxSleepTime));
+
         // If a token already exists and username is the same as the one we request authentication for,
         // then return it and mark it as coming from session.
         $previousToken = $this->tokenStorage->getToken();

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000