3243 matches found
GHSA-JXQV-JCVH-7GR4 Atlantis Events vulnerable to Timing Attack
The package github.com/runatlantis/atlantis/server/controllers/events before 0.19.7 is vulnerable to Timing Attack in the webhook event validator code, which does not use a constant-time comparison function to validate the webhook secret. It can allow an attacker to recover this secret as an...
Atlantis Events vulnerable to Timing Attack
The package github.com/runatlantis/atlantis/server/controllers/events before 0.19.7 is vulnerable to Timing Attack in the webhook event validator code, which does not use a constant-time comparison function to validate the webhook secret. It can allow an attacker to recover this secret as an...
CVE-2022-24912
The package github.com/runatlantis/atlantis/server/controllers/events before 0.19.7 are vulnerable to Timing Attack in the webhook event validator code, which does not use a constant-time comparison function to validate the webhook secret. It can allow an attacker to recover this secret as an...
CVE-2022-24912
The package github.com/runatlantis/atlantis/server/controllers/events before 0.19.7 are vulnerable to Timing Attack in the webhook event validator code, which does not use a constant-time comparison function to validate the webhook secret. It can allow an attacker to recover this secret as an...
Code injection
The package github.com/runatlantis/atlantis/server/controllers/events before 0.19.7 are vulnerable to Timing Attack in the webhook event validator code, which does not use a constant-time comparison function to validate the webhook secret. It can allow an attacker to recover this secret as an...
CVE-2022-24912 Timing Attack
The package github.com/runatlantis/atlantis/server/controllers/events before 0.19.7 are vulnerable to Timing Attack in the webhook event validator code, which does not use a constant-time comparison function to validate the webhook secret. It can allow an attacker to recover this secret as an...
CVE-2022-24912
The vulnerability is in github.com/runatlantis/atlantis/server/controllers/events (pre-0.19.7) where webhook secret validation uses a non-constant-time comparison, enabling timing attacks to recover the secret and forge webhook events. This aligns with CVE-2022-24912 and related advisories. Impac...
CVE-2022-24912
The package github.com/runatlantis/atlantis/server/controllers/events before 0.19.7 are vulnerable to Timing Attack in the webhook event validator code, which does not use a constant-time comparison function to validate the webhook secret. It can allow an attacker to recover this secret as an...
PT-2022-16979 · Atlantis · Atlantis
Name of the Vulnerable Software and Affected Versions: github.com/runatlantis/atlantis/server/controllers/events versions prior to 0.19.7 Description: The issue is related to a timing attack in the webhook event validator code, which does not use a constant-time comparison function to validate th...
Atlantis 安全漏洞
Atlantis is Atlantis open source a self-hosted golang application . It listens to Terraform pull request events via webhook. A security vulnerability exists in Atlantis versions prior to 0.19.7, which stems from a Timing Attack vulnerability in the package...
CVE-2022-36885
CVE-2022-36885 affects Jenkins GitHub Plugin 1.34.4 and earlier. The vulnerability arises from a non-constant time comparison when verifying webhook signatures, enabling attackers to use statistical methods to forge a valid webhook signature. Impact is limited to systems using the vulnerable plug...
Kafka: Timing Attack Vulnerability for Apache Kafka Connect and Clients
Some components in Apache Kafka use Arrays.equals to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful. Users should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this vulnerability has been...
GHSA-376V-XGJX-7MFR fastify-bearer-auth vulnerable to Timing Attack Vector
Impact fastify-bearer-auth does not securely use crypto.timingSafeEqual. A malicious attacker could estimate the length of one valid bearer token. According to the corresponding RFC 6750, the bearer token has only base64 valid characters, reducing the range of characters for a brute force attack...
Timing Attack
Overview Affected versions of this package are vulnerable to Timing Attack in the webhook event validator code, which does not use a constant-time comparison function to validate the webhook secret. It can allow an attacker to recover this secret as an attacker and then forge webhook events...
CVE-2022-32425
The login function of Mealie v1.0.0beta-2 allows attackers to enumerate existing usernames by timing the server's response time...
CVE-2022-32425
The login function of Mealie v1.0.0beta-2 allows attackers to enumerate existing usernames by timing the server's response time...
CVE-2022-31142 Potential Timing Attack Vector in @fastify/bearer-auth
@fastify/bearer-auth is a Fastify plugin to require bearer Authorization headers. @fastify/bearer-auth prior to versions 7.0.2 and 8.0.1 does not securely use crypto.timingSafeEqual. A malicious attacker could estimate the length of one valid bearer token. According to the corresponding RFC 6750,...
CVE-2022-31142 Potential Timing Attack Vector in @fastify/bearer-auth
@fastify/bearer-auth is a Fastify plugin to require bearer Authorization headers. @fastify/bearer-auth prior to versions 7.0.2 and 8.0.1 does not securely use crypto.timingSafeEqual. A malicious attacker could estimate the length of one valid bearer token. According to the corresponding RFC 6750,...
CVE-2022-31142 Potential Timing Attack Vector in @fastify/bearer-auth
@fastify/bearer-auth is a Fastify plugin to require bearer Authorization headers. @fastify/bearer-auth prior to versions 7.0.2 and 8.0.1 does not securely use crypto.timingSafeEqual. A malicious attacker could estimate the length of one valid bearer token. According to the corresponding RFC 6750,...
Mealie 安全漏洞
Mealie is a self-hosted recipe manager and meal planner by an individual developer in Hayden, USA. A security vulnerability exists in Mealie v1.0.0beta-2, which stems from a login feature that allows an attacker to enumerate existing usernames by timing the server's response time...