Username Enumeration

github.com/openbao/openbao is vulnerable to user enumeration. The vulnerability is due to timing differences in the userpass authentication method between non-existent users and users with stored credentials, which allows an attacker to enumerate valid usernames regardless of password validity...

Information Exposure

Overview Affected versions of this package are vulnerable to Information Exposure via the pathLogin function in the userpass/pathlogin.go file. An attacker can determine whether a username exists by measuring the response time difference between authentication attempts for existing and non-existi...

CVE-2025-54999 OpenBao: Timing Side-Channel in Userpass Auth Method

OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 0.1.0 through 2.3.1, when using OpenBao's userpass auth method, user enumeration was possible due to timing difference between non-existent users an...

Linux Distros Unpatched Vulnerability : CVE-2022-31742

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - An attacker could have exploited a timing attack by sending a large number of allowCredential entries and detecting the difference between invalid key handles a...

Linux Distros Unpatched Vulnerability : CVE-2019-9815

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - If hyperthreading is not disabled, a timing attack vulnerability exists, similar to previous Spectre attacks. Apple has shipped macOS 10.14.5 with an option to...

Security Bulletin: IBM i is affected by a timing attack, handling signals in an unsafe manner, and uncontrolled memory consumption due to vulnerabilities in OpenSSH [CVE-2024-39894, CVE-2024-6387, CVE-2025-26466].

Summary OpenSSH used by IBM i is affected by a timing attack against password entry, handling signals in an unsafe manner, and an uncontrolled increase in memory consumption as described in the vulnerability details section. This bulletin identifies the steps to take to address the vulnerabilitie...

GLSA-202508-04 : Mozilla Network Security Service (NSS): TLS RSA decryption timing attack

The remote host is affected by the vulnerability described in GLSA-202508-04 Mozilla Network Security Service NSS: TLS RSA decryption timing attack A vulnerability has been discovered in Mozilla Network Security Service NSS. Please review the CVE identifier referenced below for details. Tenable h...

Timing Attack

Overview Affected versions of this package are vulnerable to Timing Attack via pathLogin. An attacker can determine whether a username exists by measuring response times. Remediation Upgrade github.com/hashicorp/vault/builtin/credential/userpass to version 1.20.1 or higher. References - GitHub...

CVE-2025-53940

Quiet is an alternative to team chat apps like Slack, Discord, and Element that does not require trusting a central server or running one's own. In versions 6.1.0-alpha.4 and below, Quiet's API for backend/frontend communication was using an insecure, not constant-time comparison function for tok...

CVE-2025-53940

Quiet is an alternative to team chat apps like Slack, Discord, and Element that does not require trusting a central server or running one's own. In versions 6.1.0-alpha.4 and below, Quiet's API for backend/frontend communication was using an insecure, not constant-time comparison function for tok...

CVE-2025-53940

CVE-2025-53940 affects Quiet, an open-source p2p chat alternative. Vulnerable in Quiet 6.1.0-alpha.4 and earlier due to an insecure, non-constant-time token verification comparison in the backend/frontend API, enabling a timing attack to guess the token character by character. The issue is resolv...

CVE-2025-53940 Quiet uses insecure, inconsistent verification on local backend token

Quiet is an alternative to team chat apps like Slack, Discord, and Element that does not require trusting a central server or running one's own. In versions 6.1.0-alpha.4 and below, Quiet's API for backend/frontend communication was using an insecure, not constant-time comparison function for tok...

CVE-2025-53940 Quiet uses insecure, inconsistent verification on local backend token

Quiet is an alternative to team chat apps like Slack, Discord, and Element that does not require trusting a central server or running one's own. In versions 6.1.0-alpha.4 and below, Quiet's API for backend/frontend communication was using an insecure, not constant-time comparison function for tok...

CVE-2025-53940 Quiet uses insecure, inconsistent verification on local backend token

Quiet is an alternative to team chat apps like Slack, Discord, and Element that does not require trusting a central server or running one's own. In versions 6.1.0-alpha.4 and below, Quiet's API for backend/frontend communication was using an insecure, not constant-time comparison function for tok...

PT-2025-30706 · Quiet · Quiet

Name of the Vulnerable Software and Affected Versions: Quiet versions 6.1.0-alpha.4 and below Description: Quiet’s API for backend/frontend communication used an insecure, not constant-time comparison function for token verification. This allowed for a potential timing attack where an attacker...

Quiet 安全漏洞

Quiet is a private p2p based software from Quiet open source. A security vulnerability exists in Quiet 6.1.0-alpha.4 and earlier versions, which stems from the use of an insecure non-constant time comparison function for token validation, which could lead to a timing attack...

CVE-2025-49087

In Mbed TLS 3.6.1 through 3.6.3 before 3.6.4, a timing discrepancy in block cipher padding removal allows an attacker to recover the plaintext when PKCS7 padding mode is used...

CVE-2025-49087

In Mbed TLS 3.6.1 through 3.6.3 before 3.6.4, a timing discrepancy in block cipher padding removal allows an attacker to recover the plaintext when PKCS7 padding mode is used...

Timing Attack

parisneo/lollms is vulnerable to timing attack. The vulnerability is due to the use of Python's default string equality operator for password comparison, which causes variable response times based on matching characters — allowing an attacker to enumerate valid usernames and incrementally guess...

Medium: python-cryptography

Issue Overview: python-cryptography 3.2 is vulnerable to Bleichenbacher timing attacks in the RSA decryption API, via timed processing of valid PKCS1 v1.5 ciphertext. CVE-2020-25659 Affected Packages: python-cryptography Note: This advisory is applicable to Amazon Linux 2 AL2 Core repository. Vis...