Time-Based Information Disclosure Vulnerability in Flow

2024-06-0517:28:47

Google

osv.dev

information disclosure

timing attacks

hashing

password comparison

software

6.9 Medium

AI Score

Confidence

Low

JSON

The PersistedUsernamePasswordProvider was prone to a information disclosure of account existance based on timing attacks as the hashing of passwords was only done in case an account was found. We changed the core so that the provider always does a password comparison in case credentials were submitted at all.

CPENameOperatorVersion
typo3/floweq2.3.14
typo3/floweq3.0.9
typo3/floweq3.2.0
typo3/floweq3.1.1
typo3/floweq3.2.1
typo3/floweq3.0.7
typo3/floweq3.1.0
typo3/floweq2.3.2
typo3/floweq3.2.5
typo3/floweq3.0.5

Name	Operator	Version
typo3/flow	eq	2.3.14
typo3/flow	eq	3.0.9
typo3/flow	eq	3.2.0
typo3/flow	eq	3.1.1
typo3/flow	eq	3.2.1
typo3/flow	eq	3.0.7
typo3/flow	eq	3.1.0
typo3/flow	eq	2.3.2
typo3/flow	eq	3.2.5
typo3/flow	eq	3.0.5

Rows per page:

1-10 of 451

References

github.com/FriendsOfPHP/security-advisories/blob/master/typo3/flow/2016-11-01.yaml

github.com/neos/flow

www.neos.io/blog/flow-sa-2016-001.html

6.9 Medium

AI Score

Confidence

Low

JSON