Lucene search
K

3242 matches found

CVE
CVE
added 2024/01/03 4:15 p.m.59 views

CVE-2023-46739

CVE-2023-46739 affects CubeFS (open-source cloud-native file storage). In the CubeFS master component, the UserService uses raw string comparison for passwords, enabling a timing-attack which could leak user passwords. This vulnerability exists in versions prior to 3.3.1 and is fixed in v3.3.1; u...

6.5CVSS5.5AI score0.00353EPSS
Exploits0References2Affected Software1
Cvelist
Cvelist
added 2024/01/03 4:15 p.m.33 views

CVE-2023-46739 Timing attack can leak user passwords

CubeFS is an open-source cloud-native file storage system. A vulnerability was found during in the CubeFS master component in versions prior to 3.3.1 that could allow an untrusted attacker to steal user passwords by carrying out a timing attack. The root case of the vulnerability was that CubeFS...

6.5CVSS6.5AI score0.00353EPSS
Exploits0References2
OSV
OSV
added 2024/01/03 4:15 p.m.35 views

CVE-2023-46739 Timing attack can leak user passwords

CubeFS is an open-source cloud-native file storage system. A vulnerability was found during in the CubeFS master component in versions prior to 3.3.1 that could allow an untrusted attacker to steal user passwords by carrying out a timing attack. The root case of the vulnerability was that CubeFS...

6.5CVSS6AI score0.00353EPSS
Exploits0References4
OSV
OSV
added 2024/01/03 4:13 p.m.25 views

GHSA-8579-7P32-F398 CubeFS timing attack can leak user passwords

A vulnerability was found during in the CubeFS master component that could allow an untrusted attacker to steal user passwords by carrying out a timing attack. The root case of the vulnerability was that CubeFS used raw string comparison of passwords. The vulnerable part of CubeFS was the...

8.2CVSS5.9AI score0.00353EPSS
Exploits0References5
Github Security Blog
Github Security Blog
added 2024/01/03 4:13 p.m.30 views

CubeFS timing attack can leak user passwords

A vulnerability was found during in the CubeFS master component that could allow an untrusted attacker to steal user passwords by carrying out a timing attack. The root case of the vulnerability was that CubeFS used raw string comparison of passwords. The vulnerable part of CubeFS was the...

6.5CVSS7AI score0.00353EPSS
Exploits0References5Affected Software1
NVD
NVD
added 2023/12/22 7:15 p.m.13 views

CVE-2023-50708

yii2-authclient is an extension that adds OpenID, OAuth, OAuth2 and OpenId Connect consumers for the Yii framework 2.0. In yii2-authclient prior to version 2.2.15, the Oauth1/2 state and OpenID Connect nonce is vulnerable for a timing attack since it is compared via regular string comparison...

9.8CVSS0.00716EPSS
Exploits1References5
Prion
Prion
added 2023/12/22 7:15 p.m.17 views

Buffer overflow

yii2-authclient is an extension that adds OpenID, OAuth, OAuth2 and OpenId Connect consumers for the Yii framework 2.0. In yii2-authclient prior to version 2.2.15, the Oauth1/2 state and OpenID Connect nonce is vulnerable for a timing attack since it is compared via regular string comparison...

7.5CVSS7AI score0.00716EPSS
Exploits1References5Affected Software1
Cvelist
Cvelist
added 2023/12/22 6:25 p.m.40 views

CVE-2023-50708 yii2-authclient vulnerable to possible timing attack on string comparison in OAuth1, OAuth2 and OpenID Connect implementation

yii2-authclient is an extension that adds OpenID, OAuth, OAuth2 and OpenId Connect consumers for the Yii framework 2.0. In yii2-authclient prior to version 2.2.15, the Oauth1/2 state and OpenID Connect nonce is vulnerable for a timing attack since it is compared via regular string comparison...

6.1CVSS9.7AI score0.00716EPSS
Exploits1References5
OSV
OSV
added 2023/12/22 6:25 p.m.34 views

CVE-2023-50708 yii2-authclient vulnerable to possible timing attack on string comparison in OAuth1, OAuth2 and OpenID Connect implementation

yii2-authclient is an extension that adds OpenID, OAuth, OAuth2 and OpenId Connect consumers for the Yii framework 2.0. In yii2-authclient prior to version 2.2.15, the Oauth1/2 state and OpenID Connect nonce is vulnerable for a timing attack since it is compared via regular string comparison...

6.1CVSS9.2AI score0.00716EPSS
Exploits1References7
CVE
CVE
added 2023/12/22 6:25 p.m.92 views

CVE-2023-50708

The CVE concerns yii2-authclient (Yii framework 2.0) where OAuth1/2 state and OpenID Connect nonce are compared with a regular string comparison, enabling a timing attack. Affected versions are prior to 2.2.15. The issue is mitigated by upgrading to 2.2.15, which patches the comparison mechanism....

9.8CVSS7.8AI score0.00716EPSS
Exploits1References5Affected Software1
CNNVD
CNNVD
added 2023/12/22 12:0 a.m.4 views

yii2 security vulnerabilities

yii2 is a fast, secure and professional PHP framework. A security vulnerability exists in yii2-authclient versions prior to 2.2.15, which stems from the possibility of a timing attack in string comparison...

9.8CVSS6.7AI score0.00716EPSS
Exploits1References6
OSV
OSV
added 2023/12/19 2:15 p.m.4 views

CVE-2023-6867

The timing of a button click causing a popup to disappear was approximately the same length as the anti-clickjacking delay on permission prompts. It was possible to use this fact to surprise users by luring them to click where the permission grant button would be about to appear. This vulnerabili...

6.1CVSS7.9AI score
Exploits0References6
RedHat Linux
RedHat Linux
added 2023/12/19 9:57 a.m.6 views

php: potential exposure to Marvin attack via unsafe implementation of RSA decryption API

The RSA decryption implementation using PKCS1 v1.5 padding in OpenSSL is vulnerable to a timing side-channel attack known as the Marvin Attack. This vulnerability arises because the execution time of the opensslprivatedecrypt function in PHP with OpenSSL varies based on whether a valid message is...

5.9CVSS5.9AI score0.01158EPSS
Exploits1References5
Veracode
Veracode
added 2023/12/19 6:56 a.m.23 views

Timing Attack

yiisoft/yii2-authclient is vulnerable to Timing attack. The vulnerable is caused due to an insecure string comparison method strcmp used to compare a nonce. An attacker can potentially perform a time based attack to guess the nonce string...

9.8CVSS6.7AI score0.00716EPSS
Exploits1References6Affected Software1
OSV
OSV
added 2023/12/18 8:1 p.m.14 views

GHSA-W8VH-P74J-X9XP yii2-authclient vulnerable to possible timing attack on string comparison in OAuth1, OAuth2 and OpenID Connect implementation

Impact What kind of vulnerability is it? Who is impacted? Original Report: The Oauth1/2 "state" and OpenID Connect "nonce" is vulnerable for a "timing attack" since it's compared via regular string comparison instead of Yii::$app-getSecurity-compareString. Affected Code: 1. OAuth 1 "state"...

9.4AI score0.00716EPSS
Exploits1References7
Github Security Blog
Github Security Blog
added 2023/12/18 8:1 p.m.27 views

yii2-authclient vulnerable to possible timing attack on string comparison in OAuth1, OAuth2 and OpenID Connect implementation

Impact What kind of vulnerability is it? Who is impacted? Original Report: The Oauth1/2 "state" and OpenID Connect "nonce" is vulnerable for a "timing attack" since it's compared via regular string comparison instead of Yii::$app-getSecurity-compareString. Affected Code: 1. OAuth 1 "state"...

9.8CVSS7AI score0.00716EPSS
Exploits1References7Affected Software1
Positive Technologies
Positive Technologies
added 2023/12/18 12:0 a.m.5 views

PT-2023-31614 · Unknown · Yii2-Authclient

Name of the Vulnerable Software and Affected Versions: yii2-authclient versions prior to 2.2.15 Description: The issue concerns a timing attack vulnerability in the Oauth1/2 state and OpenID Connect nonce due to comparison via regular string comparison instead of using...

9.8CVSS9.4AI score0.00716EPSS
Exploits1References10
Tenable Nessus
Tenable Nessus
added 2023/12/08 12:0 a.m.50 views

Golang < 1.20 Observable Discrepancy

Before Go 1.20, the RSA based TLS key exchanges used the math/big library, which is not constant time. RSA blinding was applied to prevent timing attacks, but analysis shows this may not have been fully effective. In particular it appears as if the removal of PKCS1 padding may leak timing...

7.5CVSS6.9AI score0.0125EPSS
Exploits0References3
Veracode
Veracode
added 2023/12/07 11:35 a.m.26 views

Timing Attack

github.com/golang/go is vulnerable to a Timing Attack. A timing-based side-channel vulnerability allows an attacker to potentially recover session key bits from RSA-based TLS key exchanges by observing the timing discrepancy between processing different inputs. While successful exploitation...

7.5CVSS6.5AI score0.0125EPSS
Exploits0References9Affected Software1
OSV
OSV
added 2023/12/05 5:15 p.m.7 views

CVE-2023-45287

Before Go 1.20, the RSA based TLS key exchanges used the math/big library, which is not constant time. RSA blinding was applied to prevent timing attacks, but analysis shows this may not have been fully effective. In particular it appears as if the removal of PKCS1 padding may leak timing...

7.5CVSS7.5AI score
Exploits0References6
Rows per page
Query Builder