GitHub Advisory DatabaseGHSA-66M4-GC8H-HPJXTiming attack in eZ Platform Ibexa
3.7 Low
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
0.001 Low
EPSS
Percentile
34.5%
Ibexa DXP is using random execution time to hinder timing attacks against user accounts, a method of discovering whether a given account exists in a system without knowing its password, thus affecting privacy. This implementation was found to not be good enough in some situations. The fix replaces this with constant time functionality, configured in the new security.yml parameter ‘ibexa.security.authentication.constant_auth_time’. It will log a warning if the constant time is exceeded. If this happens the setting should be increased.
Affected configurations
| CPE | Name | Operator | Version |
|---|---|---|---|
| ezsystems/ezpublish-kernel | lt | 7.5.29 | |
| ezsystems/ezplatform-kernel | lt | 1.3.19 |
References
developers.ibexa.co/security-advisories/ibexa-sa-2022-006-vulnerabilities-in-page-builder-login-and-commerce
github.com/advisories/GHSA-66m4-gc8h-hpjx
github.com/ezsystems/ezplatform-kernel/security/advisories/GHSA-342c-vcff-2ff2
github.com/ezsystems/ezpublish-kernel/security/advisories/GHSA-xfqg-p48g-hh94
nvd.nist.gov/vuln/detail/CVE-2022-48366
Related
3.7 Low
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
0.001 Low
EPSS
Percentile
34.5%