Time-Based Information Disclosure Vulnerability in Flow

2024-06-0517:28:47

GitHub Advisory Database

github.com

information disclosure

timing attacks

password hashing

account existence

software vulnerability

security update

6.9 Medium

AI Score

Confidence

Low

JSON

The PersistedUsernamePasswordProvider was prone to a information disclosure of account existance based on timing attacks as the hashing of passwords was only done in case an account was found. We changed the core so that the provider always does a password comparison in case credentials were submitted at all.

Affected configurations

Vulners

Node

typo3flowRange<3.3.5

typo3flowRange<3.2.7

typo3flowRange<3.1.7

typo3flowRange<3.0.10

typo3flowRange<2.3.16

CPENameOperatorVersion
typo3/flowlt3.3.5
typo3/flowlt3.2.7
typo3/flowlt3.1.7
typo3/flowlt3.0.10
typo3/flowlt2.3.16

Name	Operator	Version
typo3/flow	lt	3.3.5
typo3/flow	lt	3.2.7
typo3/flow	lt	3.1.7
typo3/flow	lt	3.0.10
typo3/flow	lt	2.3.16

References

github.com/advisories/GHSA-r6mm-wmhf-849m

github.com/FriendsOfPHP/security-advisories/blob/master/typo3/flow/2016-11-01.yaml

www.neos.io/blog/flow-sa-2016-001.html

6.9 Medium

AI Score

Confidence

Low

JSON