DEBIAN-CVE-2017-8342

Radicale before 1.1.2 and 2.x before 2.0.0rc2 is prone to timing oracles and simple brute-force attacks when using the htpasswd authentication method...

Timing Attack

github.com/dgrijalva/jwt-go is vulnerable to timing attacks. This vulnerability is caused because the hashes are not compared in constant time, allowing malicious users to guess the valid hashes are based on the time that a comparison takes...

Shopify: ShopifyAPI is vulnerable to timing attacks.

Dear Shopify bug bounty team, The Python ShopifyAPI library is vulnerable to timing attacks, because the validatehmac falls back to a non-constant time comparison when hmac.comparedigest is not available. I am perfectly aware that this issue is out of scope, but your Shopify Guru Jack P. kindly...

Open-Xchange: Dovecot authentication is vulnerable to timing attacks.

Dear Dovecot bug bounty team, Dovecot is vulnerable to timing attacks, because the verifycredentials function in CRAM-MD5 performs a byte-by-byte comparison, which terminates early when two characters do not match. Summary --- Timing attacks are a type of side channel attack where one can discove...

keycloak: timing attack in JWS signature verification

It was found that keycloak's implementation of HMAC verification for JWS tokens uses a method that runs in non-constant time, potentially leaving the application vulnerable to timing attacks...

Moderate: Red Hat Security Advisory: Red Hat Single Sign-On 7.1 update on RHEL 7

Red Hat Single Sign-On 7.1 is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability fr...

Moderate: Red Hat Security Advisory: Red Hat Single Sign-On 7.1 update

Red Hat Single Sign-On 7.1 is now available for download from the Customer Portal. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each...

CVE-2017-2585

It was found that keycloak's implementation of HMAC verification for JWS tokens uses a method that runs in non-constant time, potentially leaving the application vulnerable to timing attacks...

Timing Attacks

drupal-hash is vulnerable to timing attacks. The library is vulnerable because they do not compare passwords in constant-time, which allows malicious users to use the timing of the request to progressively identify a valid passwords...

CVE-2017-3156

It was found that Apache CXF OAuth2 Hawk and JOSE MAC Validation code is not using a constant time MAC signature comparison algorithm which may be exploited by some sophisticated timing attacks. It may only affect OAuth2 Hawk or JWT access tokens or JOSE JWS/JWE interceptors which depend on HMAC...

UBUNTU-CVE-2016-3995

The timing attack protection in Rijndael::Enc::ProcessAndXorBlock and Rijndael::Dec::ProcessAndXorBlock in Crypto++ aka cryptopp before 5.6.4 may be optimized out by the compiler, which allows attackers to conduct timing attacks...

Ubuntu 14.04 LTS / 16.04 LTS : Thunderbird vulnerabilities (USN-3165-1)

The remote Ubuntu 14.04 LTS / 16.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-3165-1 advisory. Multiple memory safety issues were discovered in Thunderbird. If a user were tricked in to opening a specially crafted message, an attacker...

Timing Attacks

cf-uaa-lib is vulnerable to timing attacks. This vulnerability is caused because the HMAC hashes are not compared in constant time, allowing malicious users to guess the valid HMAC hashes based on the time that a comparison takes...

Timing Attacks

pylons is vulnerable to timing attacks. It is possible by comparing the time of signature comparison on signed cookies...

GlobaLeaks: GlobaLeaks is vulnerable to timing attacks.

Dear GlobaLeaks bug bounty team, GlobaLeaks is vulnerable to timing attacks, because the checkpassword function performs a byte-by-byte comparison, which terminates early when two characters do not match. Summary --- Timing attacks are a type of side channel attack where one can discover valuable...

Timing Attacks

cookie-signature is vulnerable to timing attacks. The library is vulnerable because they do not compare MACs in constant-time, which allows malicious users to use the timing of the request to progressively identify a valid MAC hashes...

Al-Khaser v0.65 - Public Malware Techniques Used In The Wild

al-khaser is a PoC malware with good intentions that aimes to stress your anti-malware system. It performs a bunch of nowadays malwares tricks and the goal is to see if you stay under the radar. Possible uses You are making an anti-debug plugin and you want to check its effectiveness. You want to...

Debian DLA-728-1 : tomcat6 security update

Multiple security vulnerabilities have been discovered in the Tomcat servlet and JSP engine, which may result in possible timing attacks to determine valid user names, bypass of the SecurityManager, disclosure of system properties, unrestricted access to global resources, arbitrary file overwrite...

Debian DLA-729-1 : tomcat7 security update

Multiple security vulnerabilities have been discovered in the Tomcat servlet and JSP engine, which may result in possible timing attacks to determine valid user names, bypass of the SecurityManager, disclosure of system properties, unrestricted access to global resources, arbitrary file overwrite...

[SECURITY] [DLA 729-1] tomcat7 security update

Package : tomcat7 Version : 7.0.28-4+deb7u7 CVE ID : CVE-2016-0762 CVE-2016-5018 CVE-2016-6794 CVE-2016-6796 CVE-2016-6797 CVE-2016-6816 CVE-2016-8735 Debian Bug : 841655 842662 842663 842664 842665 842666 845385 Multiple security vulnerabilities have been discovered in the Tomcat servlet and JSP...