3242 matches found
Mozilla: Click-jacking certificate exceptions through rendering lag
The Mozilla Foundation Security Advisory describes this flaw as: The error page for sites with invalid TLS certificates was missing the activation-delay Firefox uses to protect prompts and permission dialogs from attacks that exploit human response time delays. If a malicious page elicited user...
Mozilla: Click-jacking certificate exceptions through rendering lag
The Mozilla Foundation Security Advisory describes this flaw as: The error page for sites with invalid TLS certificates was missing the activation-delay Firefox uses to protect prompts and permission dialogs from attacks that exploit human response time delays. If a malicious page elicited user...
Mozilla: Click-jacking certificate exceptions through rendering lag
The Mozilla Foundation Security Advisory describes this flaw as: The error page for sites with invalid TLS certificates was missing the activation-delay Firefox uses to protect prompts and permission dialogs from attacks that exploit human response time delays. If a malicious page elicited user...
Mozilla: Click-jacking certificate exceptions through rendering lag
The Mozilla Foundation Security Advisory describes this flaw as: The error page for sites with invalid TLS certificates was missing the activation-delay Firefox uses to protect prompts and permission dialogs from attacks that exploit human response time delays. If a malicious page elicited user...
Timing Attack
saleor is vulnerable to a Timing Attack. The vulnerability exists due the validatehmacsignature function which has a non constant time that can allow an attacker to infer the secret key or forge fake events...
SUSE CVE-2023-34414
The error page for sites with invalid TLS certificates was missing the activation-delay Firefox uses to protect prompts and permission dialogs from attacks that exploit human response time delays. If a malicious page elicited user clicks in precise locations immediately before navigating to a sit...
Important: Red Hat Security Advisory: Red Hat JBoss Web Server 5.7.3 release and security update
An update is now available for Red Hat JBoss Web Server 5.7.3 on Red Hat Enterprise Linux versions 7, 8, and 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, i...
openssl: timing attack in RSA Decryption implementation
A timing-based side channel exists in the OpenSSL RSA Decryption implementation, which could be sufficient to recover a ciphertext across a network in a Bleichenbacher style attack. To achieve a successful decryption, an attacker would have to be able to send a very large number of trial messages...
openssl: timing attack in RSA Decryption implementation
A timing-based side channel exists in the OpenSSL RSA Decryption implementation, which could be sufficient to recover a ciphertext across a network in a Bleichenbacher style attack. To achieve a successful decryption, an attacker would have to be able to send a very large number of trial messages...
RHEL 7 / 8 / 9 : Red Hat JBoss Web Server 5.7.3 (RHSA-2023:3420)
The remote Redhat Enterprise Linux 7 / 8 / 9 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2023:3420 advisory. Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of...
openssl: timing attack in RSA Decryption implementation
A timing-based side channel exists in the OpenSSL RSA Decryption implementation, which could be sufficient to recover a ciphertext across a network in a Bleichenbacher style attack. To achieve a successful decryption, an attacker would have to be able to send a very large number of trial messages...
Moderate: Red Hat Security Advisory: openssl security update
An update for openssl is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for...
RHEL 8 : openssl (RHSA-2023:3408)
The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2023:3408 advisory. OpenSSL is a toolkit that implements the Secure Sockets Layer SSL and Transport Layer Security TLS protocols, as well as a full-strength...
CVE-2023-32691
gost GO Simple Tunnel is a simple tunnel written in golang. Sensitive secrets such as passwords, token and API keys should be compared only using a constant-time comparison function. Untrusted input, sourced from a HTTP header, is compared directly with a secret. Since this comparison is not...
CVE-2023-32691 ginuerzh/gost vulnerable to Timing Attack
gost GO Simple Tunnel is a simple tunnel written in golang. Sensitive secrets such as passwords, token and API keys should be compared only using a constant-time comparison function. Untrusted input, sourced from a HTTP header, is compared directly with a secret. Since this comparison is not...
CVE-2023-32691 ginuerzh/gost vulnerable to Timing Attack
gost GO Simple Tunnel is a simple tunnel written in golang. Sensitive secrets such as passwords, token and API keys should be compared only using a constant-time comparison function. Untrusted input, sourced from a HTTP header, is compared directly with a secret. Since this comparison is not...
CVE-2023-32691
CVE-2023-32691 affects gost (GO Simple Tunnel) written in Go. The root cause is untrusted input from an HTTP header being compared directly to a secret (not using constant-time comparison), enabling a side-channel timing attack to guess secrets. The common remediation is to switch to constant-tim...
CVE-2023-32691 ginuerzh/gost vulnerable to Timing Attack
gost GO Simple Tunnel is a simple tunnel written in golang. Sensitive secrets such as passwords, token and API keys should be compared only using a constant-time comparison function. Untrusted input, sourced from a HTTP header, is compared directly with a secret. Since this comparison is not...
GO Simple Tunnel 安全漏洞
GO Simple Tunnel is a secure tunnel implemented in the GO language by ginuerzh individual developers. GO Simple Tunnel suffers from a security vulnerability that stems from the fact that sensitive information such as passwords, tokens, and API keys can only be compared using a constant-time...
CVE-2023-32694 Non-constant time HMAC comparison in Adyen plugin in Saleor
Saleor Core is a composable, headless commerce API. Saleor's validatehmacsignature function is vulnerable to timing attacks. Malicious users could abuse this vulnerability on Saleor deployments having the Adyen plugin enabled in order to determine the secret key and forge fake events, this could...