Saleor User Enumeration Vulnerability in Account Registration Mutation

A user enumeration vulnerability has been identified in Saleor versions 3.21.0 prior to 3.21.16. This issue arises in the 'accountRegister' mutation, where different error messages for existing and non-existing email addresses can unintentionally reveal whether a user with a specified email already exists in Saleor. The vulnerability allows malicious actors to determine the existence of email addresses by analyzing the response errors. The issue has been patched in version 3.21.16.

Impact

The vulnerability allows for user enumeration by revealing the existence of email addresses in the system through inconsistent error messages during the account registration process.

Reproduction

To reproduce this vulnerability, send a request to the 'accountRegister' mutation with an email address. Monitor the response for error messages. If the email address exists, a specific error will indicate its presence, while a different error will be shown for non-existing addresses. This discrepancy can be exploited to infer the existence of users based on their email addresses.

Remediation

Users are advised to upgrade to Saleor version 3.21.16 or later. If an immediate upgrade is not possible, consider implementing a rate limit on the 'accountRegister' mutation to mitigate the vulnerability's impact.