3243 matches found
Design/Logic Flaw
GoCD is a continuous delivery server. GoCD helps you automate and streamline the build-test-release cycle for continuous delivery of your product. GoCD versions from 19.2.0 to 19.10.0 inclusive are subject to a timing attack in validation of access tokens due to use of regular string comparison f...
CVE-2022-39308
GoCD versions 19.2.0–19.10.0 are vulnerable to a timing-attack in access token validation due to non–constant-time string comparison, potentially enabling brute-forcing of API tokens. The issue is fixed in GoCD 19.11.0. Workarounds include rate limiting or introducing random delays at the GoCD se...
CVE-2022-39308 GoCD API authentication of user access tokens subject to timing attack during comparison
GoCD is a continuous delivery server. GoCD helps you automate and streamline the build-test-release cycle for continuous delivery of your product. GoCD versions from 19.2.0 to 19.10.0 inclusive are subject to a timing attack in validation of access tokens due to use of regular string comparison f...
CVE-2022-39308 GoCD API authentication of user access tokens subject to timing attack during comparison
GoCD is a continuous delivery server. GoCD helps you automate and streamline the build-test-release cycle for continuous delivery of your product. GoCD versions from 19.2.0 to 19.10.0 inclusive are subject to a timing attack in validation of access tokens due to use of regular string comparison f...
PT-2022-24889 · Gocd · Gocd
Name of the Vulnerable Software and Affected Versions: GoCD versions 19.2.0 through 19.10.0 Description: The issue concerns a timing attack in the validation of access tokens due to the use of regular string comparison instead of a constant time algorithm. This could allow a brute force attack on...
CVE-2022-39308 GoCD API authentication of user access tokens subject to timing attack during comparison
GoCD is a continuous delivery server. GoCD helps you automate and streamline the build-test-release cycle for continuous delivery of your product. GoCD versions from 19.2.0 to 19.10.0 inclusive are subject to a timing attack in validation of access tokens due to use of regular string comparison f...
New Timing Attack Against NPM Registry API Could Expose Private Packages
A novel timing attack discovered against the npm's registry API can be exploited to potentially disclose private packages used by organizations, putting developers at risk of supply chain threats. "By creating a list of possible package names, threat actors can detect organizations' scoped privat...
CVE-2022-2891
The WP 2FA WordPress plugin before 2.3.0 uses comparison operators that don't mitigate time-based attacks, which could be abused to leak information about the authentication codes being compared...
Security Bulletin: IBM Informix Cryptographic Library Updates (CVE-2012-2190, CVE-2012-2191, CVE-2012-2203)
Abstract Multiple security problems exist in the IBM GSKit libraries that IBM Informix and IBM Informix ClientSDK use to provide communications security and other cryptographic functionality. Content CVE ID: CVE-2012-2190 DESCRIPTION: GSKit allows remote attackers to cause a denial of service...
PT-2022-23195 · Typo3 · Typo3
Name of the Vulnerable Software and Affected Versions: TYPO3 versions prior to 7.6.58 ELTS TYPO3 versions prior to 8.7.48 ELTS TYPO3 versions prior to 9.5.37 ELTS TYPO3 versions prior to 10.4.32 TYPO3 versions prior to 11.5.16 Description: It has been discovered that observing response time durin...
Kafka: Timing Attack Vulnerability for Apache Kafka Connect and Clients
Some components in Apache Kafka use Arrays.equals to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful. Users should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this vulnerability has been...
Red Hat wildfly-elytron 安全漏洞
Red Hat wildfly-elytron is the United States Red Hat Red Hat a security framework. It is used to unify security across application servers. A security vulnerability exists in Red Hat wildfly-elytron, which stems from the possibility of timing attacks through the use of insecure comparators...
Ubuntu: Security Advisory (USN-4417-2)
The remote host is missing an update for the SPDX-FileCopyrightText: 2022 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...
Ubuntu: Security Advisory (USN-4236-3)
The remote host is missing an update for the SPDX-FileCopyrightText: 2022 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...
Ubuntu: Security Advisory (USN-4397-2)
The remote host is missing an update for the SPDX-FileCopyrightText: 2022 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...
DEBIAN-CVE-2021-3714
A flaw was found in the Linux kernels memory deduplication mechanism. Previous work has shown that memory deduplication can be attacked via a local exploitation mechanism. The same technique can be used if an attacker can upload page sized files and detect the change in access time from a network...
PT-2022-22251 · Mealie · Mealie
Name of the Vulnerable Software and Affected Versions: Mealie version 1.0.0beta3 Description: The issue allows user enumeration via timing response discrepancy between users and non-users when an invalid password message is displayed during an authentication attempt. Recommendations: For Mealie...
GO-2022-0534 Timing attack in github.com/runatlantis/atlantis
Validation of Gitlab requests can leak secrets. The package github.com/runatlantis/atlantis/server/controllers/events uses a non-constant time comparison for secrets while validating a Gitlab request. This allows for a timing attack where an attacker can recover a secret and then forge the reques...
wildfly-elytron: possible timing attack in ScramServer
A flaw was found in Wildfly Elytron where ScramServer may be susceptible to Timing Attack if enabled. The highest threat of this vulnerability is confidentiality...
AMD CPU Information Disclosure Vulnerability (AMD-SB-1038, Hertzbleed)
The AMD CPU on the remote host might be prone to an information disclosure vulnerability dubbed Copyright C 2022 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier:...