[原文]The "Forgot your Password" link in Computer Associates (CA) Unicenter Management Portal 2.0 and 3.1 displays different error messages for users that exist and users that do not exist, which could allow remote attackers to guess valid usernames.
[CNNVD]Computer Associates (CA) Unicenter Management Portal "Forgot your Password"链接漏洞(CNNVD-200409-055)
Computer Associates (CA) Unicenter Management Portal 2.0 和3.1版本中的"Forgot your Password"链接在用户存在和不存在时出现不同的错误信息。远程攻击者可以利用该漏洞猜测有效用户名。
CA UniCenter Management Portal Username Disclosure
Remote / Network Access
Loss of Confidentiality
UniCenter Management Portal contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a request of a user's forgotten password occurs, which will disclose the existence of the user resulting in a loss of confidentiality.
Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround(s):
Disable the "Forgot Password" feature or restrict access to the portal.