Lucene search
Https://gitlab.com/gitlab-org/security-products/gemnasium-dbGITLAB-FA5AA13A3F1B2ADB2197ECD654A17AA7HistoryApr 18, 2024 - 12:00 a.m.
1Panel's password verification is suspected to have a timing attack vulnerability
2024-04-1800:00:00
https://gitlab.com/gitlab-org/security-products/gemnasium-db
gitlab.com
14
panel
password verification
timing attack
vulnerability
hmac.equal
software
CVSS3
3.9
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
HIGH
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L
AI Score
7.2
Confidence
Low
EPSS
0
Percentile
9.0%
源码中密码校验处使用 != 符号,而不是hmac.Equal,这可能导致产生计时攻击漏洞,从而爆破密码。
建议使用 hmac.Equal 比对密码。
Affected configurations
Node
go1panelRange<1.10.3
Related
nvd
nvd
CVE-2024-30257
2024-04-18 15:15:30
vulnrichment
vulnrichment
cvelist
cvelist
github
github
osv
osv
veracode
veracode
Observable Timing Discrepancy
2024-04-21 17:43:25
cve
cve
CVE-2024-30257
2024-04-18 15:15:30
CVSS3
3.9
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
HIGH
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L
AI Score
7.2
Confidence
Low
EPSS
0
Percentile
9.0%
Related for GITLAB-FA5AA13A3F1B2ADB2197ECD654A17AA7