RHCOS 4 : OpenShift Container Platform 4.15.z (RHSA-2023:7200)

The remote Red Hat Enterprise Linux CoreOS 4 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2023:7200 advisory. - golang: net/http, x/net/http2: rapid stream resets can cause excessive work CVE-2023-44487 CVE-2023-39325 - golang:...

KLA91019 Multiple vulnerabilities in Apache HTTP Server

Multiple vulnerabilities were found in Apache HTTP Server. Malicious users can exploit these vulnerabilities to cause denial of service, obtain sensitive information, bypass security restrictions, execute arbitrary code, inject malicious code, gain privileges. Below is a complete list of...

Astra Linux – Vulnerability in libgcrypt20

It was discovered that there was an ECDSA timing attack in the libgcrypt20 cryptographic library. Affected versions: 1.8.4-5, 1.7.6-2+deb9u3, and 1.6.3-2+deb8u4. Fixed versions: 1.8.5-2 and 1.6.3-2+deb8u7...

Astra Linux – Vulnerability in Firefox and Thunderbird

The error page for sites with invalid TLS certificates lacked the activation-delay feature provided by Firefox to protect prompts and permission dialogs from attacks that exploit human response time delays. If a malicious page triggered user clicks at specific locations immediately before...

Astra Linux – Vulnerability in libmojolicious-perl

The Mojolicious module prior to version 8.65 for Perl is vulnerable to securecompare timing attacks, which allow an attacker to guess the length of a secret string. Only versions after 1.74 are affected...

Exploit for CVE-2026-42167

CVE-2026-42167 Master Exploit Tool A professional security re...

bouncycastle: BC-JAVA: private key leakage via non-constant time comparisons

A flaw was found in Legion of the Bouncy Castle Inc. BC-JAVA core. A covert timing channel vulnerability, caused by non-constant time comparisons, risks the leakage of private keys in the FrodoKEM implementation. An unauthenticated, remote attacker can potentially exploit this timing discrepancy ...

Sensitive Information Disclosure

Spring Security is vulnerable to Sensitive Information Disclosure. The vulnerability is due to bypass of timing attack protections in DaoAuthenticationProvider when handling disabled, expired, or locked user states, which allows an attacker to infer user account status through response timing...

Traefik 安全漏洞

Traefik is an open-source reverse proxy and load balancing tool developed by Traefik. Versions prior to Traefik 2.11.43, 3.6.14, and 3.7.0-rc.2 contain security vulnerabilities. These vulnerabilities stem from variables used in the BasicAuth middleware for constant-time comparisons, which are...

Amazon Linux 2 : dovecot, --advisory ALAS2-2026-3252 (ALAS-2026-3252)

The version of dovecot installed on the remote host is prior to 2.2.36-6. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2026-3252 advisory. Doveadm credentials are verified using direct comparison which is susceptible to timing oracle attack. An attacker can us...

Timing Attack

org.springframework.boot, spring-boot-devtools is vulnerable to a timing attack. The vulnerability is due to insecure comparison of the DevTools remote secret, which allows an attacker on the same network to exploit timing differences to guess the secret and potentially achieve remote code...

Timing Attack

Overview Affected versions of this package are vulnerable to Timing Attack via the PKCS7 padding check. An attacker can obtain sensitive information by exploiting timing differences during decryption. Remediation A fix was pushed into the master branch but not yet published. References - GitHub...

USN-8136-2: Dovecot regression

USN-8136-1 fixed vulnerabilities in Dovecot. The update caused a regression on Ubuntu 22.04 LTS and Ubuntu 24.04 LTS. This update fixes the problem. We apologize for the inconvenience. Original advisory details: It was discovered that Dovecot incorrectly handled invalid base64 SASL data. An...

Spring Boot DevTools remote secret comparison is vulnerable to timing attacks

An attacker on the same network as the remote application may be able to utilize a timing attack to discover information about the remote secret. In extreme circumstances this could result in the attacker determining the secret and uploading changed classes, thereby achieving remote code executio...

GHSA-56V8-86GJ-66JP Spring Boot DevTools remote secret comparison is vulnerable to timing attacks

An attacker on the same network as the remote application may be able to utilize a timing attack to discover information about the remote secret. In extreme circumstances this could result in the attacker determining the secret and uploading changed classes, thereby achieving remote code executio...

CVE-2026-40972

An attacker on the same network as the remote application may be able to utilize a timing attack to discover information about the remote secret. In extreme circumstances this could result in the attacker determining the secret and uploading changed classes, thereby achieving remote code executio...

VMware Spring Boot 安全漏洞

VMware Spring Boot is an open-source framework developed by the American company VMware. There are security vulnerabilities in versions 4.0.0 to 4.0.5, 3.5.0 to 3.5.13, 3.4.0 to 3.4.15, 3.3.0 to 3.3.18, and 2.7.0 to 2.7.32 of VMware Spring Boot. These vulnerabilities stem from a timing attack in...

CVE-2026-40972

An attacker on the same network as the remote application may be able to utilize a timing attack to discover information about the remote secret. In extreme circumstances this could result in the attacker determining the secret and uploading changed classes, thereby achieving remote code executio...

CVE-2026-40972

An attacker on the same network as the remote application may be able to utilize a timing attack to discover information about the remote secret. In extreme circumstances this could result in the attacker determining the secret and uploading changed classes, thereby achieving remote code executio...

CVE-2026-40972

An attacker on the same network as the remote application may be able to utilize a timing attack to discover information about the remote secret. In extreme circumstances this could result in the attacker determining the secret and uploading changed classes, thereby achieving remote code executio...