CVE-2022-24912

2022-07-2910:15:12

CWE-203

[email protected]

web.nvd.nist.gov

cve-2022-24912

github

runatlantis

atlantis

timing attack

webhook

event validator

nvd

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

0.002 Low

EPSS

Percentile

53.0%

JSON

The package github.com/runatlantis/atlantis/server/controllers/events before 0.19.7 are vulnerable to Timing Attack in the webhook event validator code, which does not use a constant-time comparison function to validate the webhook secret. It can allow an attacker to recover this secret as an attacker and then forge webhook events.

Affected configurations

NVD

Node

runatlantisatlantisRange<0.19.7

CPENameOperatorVersion
runatlantis:atlantisrunatlantis atlantislt0.19.7

CPE	Name	Operator	Version
runatlantis:atlantis	runatlantis atlantis	lt	0.19.7

CNA Affected

[
  {
    "product": "github.com/runatlantis/atlantis/server/controllers/events",
    "vendor": "n/a",
    "versions": [
      {
        "lessThan": "0.19.7",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  }
]