Time-Based Information Disclosure Vulnerability in Flow

2024-05-1723:03:25

GitHub Advisory Database

github.com

vulnerability

information disclosure

timing attacks

password provider

software

6.9 Medium

AI Score

Confidence

Low

JSON

The PersistedUsernamePasswordProvider was prone to a information disclosure of account existance based on timing attacks as the hashing of passwords was only done in case an account was found. We changed the core so that the provider always does a password comparison in case credentials were submitted at all.

Affected configurations

Vulners

Node

neosformRange<3.3.5

neosformRange<3.2.7

neosformRange<3.1.7

neosformRange<3.0.10

neosformRange<2.3.16

CPENameOperatorVersion
neos/flowlt3.3.5
neos/flowlt3.2.7
neos/flowlt3.1.7
neos/flowlt3.0.10
neos/flowlt2.3.16

Name	Operator	Version
neos/flow	lt	3.3.5
neos/flow	lt	3.2.7
neos/flow	lt	3.1.7
neos/flow	lt	3.0.10
neos/flow	lt	2.3.16

References

github.com/advisories/GHSA-6pq8-67pw-j6hw

github.com/FriendsOfPHP/security-advisories/blob/master/neos/flow/2016-11-01.yaml

www.neos.io/blog/flow-sa-2016-001.html

6.9 Medium

AI Score

Confidence

Low

JSON