Lucene search

K
nvd[email protected]NVD:CVE-2024-0436
HistoryFeb 26, 2024 - 4:27 p.m.

CVE-2024-0436

2024-02-2616:27:50
CWE-764
web.nvd.nist.gov
brute-force
timing attack
single-user protection

CVSS3

7.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

EPSS

0

Percentile

9.0%

Theoretically, it would be possible for an attacker to brute-force the password for an instance in single-user password protection mode via a timing attack given the linear nature of the !== used for comparison.

The risk is minified by the additional overhead of the request, which varies in a non-constant nature making the attack less reliable to execute

CVSS3

7.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

EPSS

0

Percentile

9.0%

Related for NVD:CVE-2024-0436