3242 matches found
CVE-2023-46739
CVE-2023-46739 affects CubeFS (open-source cloud-native file storage). In the CubeFS master component, the UserService uses raw string comparison for passwords, enabling a timing-attack which could leak user passwords. This vulnerability exists in versions prior to 3.3.1 and is fixed in v3.3.1; u...
CVE-2023-46739 Timing attack can leak user passwords
CubeFS is an open-source cloud-native file storage system. A vulnerability was found during in the CubeFS master component in versions prior to 3.3.1 that could allow an untrusted attacker to steal user passwords by carrying out a timing attack. The root case of the vulnerability was that CubeFS...
CVE-2023-46739 Timing attack can leak user passwords
CubeFS is an open-source cloud-native file storage system. A vulnerability was found during in the CubeFS master component in versions prior to 3.3.1 that could allow an untrusted attacker to steal user passwords by carrying out a timing attack. The root case of the vulnerability was that CubeFS...
GHSA-8579-7P32-F398 CubeFS timing attack can leak user passwords
A vulnerability was found during in the CubeFS master component that could allow an untrusted attacker to steal user passwords by carrying out a timing attack. The root case of the vulnerability was that CubeFS used raw string comparison of passwords. The vulnerable part of CubeFS was the...
CubeFS timing attack can leak user passwords
A vulnerability was found during in the CubeFS master component that could allow an untrusted attacker to steal user passwords by carrying out a timing attack. The root case of the vulnerability was that CubeFS used raw string comparison of passwords. The vulnerable part of CubeFS was the...
CVE-2023-50708
yii2-authclient is an extension that adds OpenID, OAuth, OAuth2 and OpenId Connect consumers for the Yii framework 2.0. In yii2-authclient prior to version 2.2.15, the Oauth1/2 state and OpenID Connect nonce is vulnerable for a timing attack since it is compared via regular string comparison...
Buffer overflow
yii2-authclient is an extension that adds OpenID, OAuth, OAuth2 and OpenId Connect consumers for the Yii framework 2.0. In yii2-authclient prior to version 2.2.15, the Oauth1/2 state and OpenID Connect nonce is vulnerable for a timing attack since it is compared via regular string comparison...
CVE-2023-50708 yii2-authclient vulnerable to possible timing attack on string comparison in OAuth1, OAuth2 and OpenID Connect implementation
yii2-authclient is an extension that adds OpenID, OAuth, OAuth2 and OpenId Connect consumers for the Yii framework 2.0. In yii2-authclient prior to version 2.2.15, the Oauth1/2 state and OpenID Connect nonce is vulnerable for a timing attack since it is compared via regular string comparison...
CVE-2023-50708 yii2-authclient vulnerable to possible timing attack on string comparison in OAuth1, OAuth2 and OpenID Connect implementation
yii2-authclient is an extension that adds OpenID, OAuth, OAuth2 and OpenId Connect consumers for the Yii framework 2.0. In yii2-authclient prior to version 2.2.15, the Oauth1/2 state and OpenID Connect nonce is vulnerable for a timing attack since it is compared via regular string comparison...
CVE-2023-50708
The CVE concerns yii2-authclient (Yii framework 2.0) where OAuth1/2 state and OpenID Connect nonce are compared with a regular string comparison, enabling a timing attack. Affected versions are prior to 2.2.15. The issue is mitigated by upgrading to 2.2.15, which patches the comparison mechanism....
yii2 security vulnerabilities
yii2 is a fast, secure and professional PHP framework. A security vulnerability exists in yii2-authclient versions prior to 2.2.15, which stems from the possibility of a timing attack in string comparison...
CVE-2023-6867
The timing of a button click causing a popup to disappear was approximately the same length as the anti-clickjacking delay on permission prompts. It was possible to use this fact to surprise users by luring them to click where the permission grant button would be about to appear. This vulnerabili...
php: potential exposure to Marvin attack via unsafe implementation of RSA decryption API
The RSA decryption implementation using PKCS1 v1.5 padding in OpenSSL is vulnerable to a timing side-channel attack known as the Marvin Attack. This vulnerability arises because the execution time of the opensslprivatedecrypt function in PHP with OpenSSL varies based on whether a valid message is...
Timing Attack
yiisoft/yii2-authclient is vulnerable to Timing attack. The vulnerable is caused due to an insecure string comparison method strcmp used to compare a nonce. An attacker can potentially perform a time based attack to guess the nonce string...
GHSA-W8VH-P74J-X9XP yii2-authclient vulnerable to possible timing attack on string comparison in OAuth1, OAuth2 and OpenID Connect implementation
Impact What kind of vulnerability is it? Who is impacted? Original Report: The Oauth1/2 "state" and OpenID Connect "nonce" is vulnerable for a "timing attack" since it's compared via regular string comparison instead of Yii::$app-getSecurity-compareString. Affected Code: 1. OAuth 1 "state"...
yii2-authclient vulnerable to possible timing attack on string comparison in OAuth1, OAuth2 and OpenID Connect implementation
Impact What kind of vulnerability is it? Who is impacted? Original Report: The Oauth1/2 "state" and OpenID Connect "nonce" is vulnerable for a "timing attack" since it's compared via regular string comparison instead of Yii::$app-getSecurity-compareString. Affected Code: 1. OAuth 1 "state"...
PT-2023-31614 · Unknown · Yii2-Authclient
Name of the Vulnerable Software and Affected Versions: yii2-authclient versions prior to 2.2.15 Description: The issue concerns a timing attack vulnerability in the Oauth1/2 state and OpenID Connect nonce due to comparison via regular string comparison instead of using...
Golang < 1.20 Observable Discrepancy
Before Go 1.20, the RSA based TLS key exchanges used the math/big library, which is not constant time. RSA blinding was applied to prevent timing attacks, but analysis shows this may not have been fully effective. In particular it appears as if the removal of PKCS1 padding may leak timing...
Timing Attack
github.com/golang/go is vulnerable to a Timing Attack. A timing-based side-channel vulnerability allows an attacker to potentially recover session key bits from RSA-based TLS key exchanges by observing the timing discrepancy between processing different inputs. While successful exploitation...
CVE-2023-45287
Before Go 1.20, the RSA based TLS key exchanges used the math/big library, which is not constant time. RSA blinding was applied to prevent timing attacks, but analysis shows this may not have been fully effective. In particular it appears as if the removal of PKCS1 padding may leak timing...