Lucene search
+L

52 matches found

Github Security Blog
Github Security Blog
added 2026/07/02 1:46 p.m.9 views

GoFiber Vulnerable to Username Enumeration via Timing Oracle in BasicAuth Default Authorizer

Summary The default Authorizer function in GoFiber's BasicAuth middleware uses short-circuit evaluation that skips password hash comparison for non-existent usernames. With bcrypt-hashed passwords the primary use case, the timing difference between a valid and invalid username is approximately...

8.3CVSS7.2AI score0.00696EPSS
Exploits1References2Affected Software1
CVE
CVE
added 2026/06/29 8:42 p.m.18 views

CVE-2026-13758

CVE-2026-13758 affects CryptX for Perl versions before 0.088_001. The vulnerability stems from a non-constant-time comparison of AEAD authentication tags in the streaming decrypt_done path, using memNE (memcmp() != 0). The run time varies with the number of matching leading bytes across all five ...

3.7CVSS5.8AI score0.00295EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/06/29 8:42 p.m.6 views

CVE-2026-13758

CryptX versions before 0.088001 for Perl compare AEAD authentication tags in non-constant time in the streaming decryptdone path. The decryptdone$tag form compares it against the computed tag with memNE memcmp != 0, which short-circuits on the first differing byte, so its run time depends on the...

5.8AI score0.00295EPSS
Exploits0References3
OSV
OSV
added 2026/04/13 12:0 a.m.9 views

ALSA-2026:7670 Important: nodejs:24 security update

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Security Fixes: nodejs: Nodejs denial of service CVE-2026-21637 minimatch: minimatch: Denial of Service via specially crafted glob patterns CVE-2026-26996 undici:...

9.8CVSS5.8AI score0.26356EPSS
Exploits1References36
Tenable Nessus
Tenable Nessus
added 2026/04/09 12:0 a.m.6 views

RockyLinux 9 : nodejs:24 (RLSA-2026:7350)

The remote RockyLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2026:7350 advisory. nodejs: Nodejs denial of service CVE-2026-21637 brace-expansion: brace-expansion: Denial of Service via unbounded brace range expansion CVE-2026-25547...

9.8CVSS6.7AI score0.26356EPSS
Exploits1References37
OSV
OSV
added 2026/03/30 8:16 p.m.5 views

ALPINE-CVE-2026-21713

A flaw in Node.js HMAC verification uses a non-constant-time comparison when validating user-provided signatures, potentially leaking timing information proportional to the number of matching bytes. Under certain threat models where high-resolution timing measurements are possible, this behavior...

5.9CVSS6.5AI score0.00385EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/03/30 7:7 p.m.2 views

CVE-2026-21713

A flaw in Node.js HMAC verification uses a non-constant-time comparison when validating user-provided signatures, potentially leaking timing information proportional to the number of matching bytes. Under certain threat models where high-resolution timing measurements are possible, this behavior...

5.9CVSS5.8AI score0.00385EPSS
Exploits0References2Affected Software1
Cvelist
Cvelist
added 2026/03/30 7:7 p.m.38 views

CVE-2026-21713

A flaw in Node.js HMAC verification uses a non-constant-time comparison when validating user-provided signatures, potentially leaking timing information proportional to the number of matching bytes. Under certain threat models where high-resolution timing measurements are possible, this behavior...

5.9CVSS0.00385EPSS
Exploits0References1
AlpineLinux
AlpineLinux
added 2026/03/30 7:7 p.m.3 views

CVE-2026-21713

A flaw in Node.js HMAC verification uses a non-constant-time comparison when validating user-provided signatures, potentially leaking timing information proportional to the number of matching bytes. Under certain threat models where high-resolution timing measurements are possible, this behavior...

5.9CVSS6.5AI score0.00385EPSS
Exploits0
CNNVD
CNNVD
added 2026/03/30 12:0 a.m.11 views

Node.js 安全漏洞

Node.js is an open-source, cross-platform JavaScript runtime environment developed by the Node.js community. Versions 20.x, 22.x, 24.x, and 25.x of Node.js have security vulnerabilities. These vulnerabilities stem from HMAC verification using a comparison that does not maintain constant time, whi...

5.9CVSS6.8AI score0.00385EPSS
Exploits0References1
NVD
NVD
added 2026/03/24 7:16 p.m.5 views

CVE-2026-33429

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.54 and 9.6.0-alpha.43, an attacker can subscribe to LiveQuery with a watch parameter targeting a protected field. Although the protected field value is properly stripped...

6.3CVSS0.00316EPSS
Exploits0References5
Tenable Nessus
Tenable Nessus
added 2026/01/20 12:0 a.m.5 views

MiracleLinux 8 : python-cryptography-3.2.1-4.el8 (AXSA:2021-2026:02)

The remote MiracleLinux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the AXSA:2021-2026:02 advisory. python-cryptography: bleichenbacher timing oracle attack against RSA decryption CVE-2020-25659 python-cryptography: certain sequences of update call...

9.1CVSS8.2AI score0.06718EPSS
Exploits1References3
Positive Technologies
Positive Technologies
added 2026/01/01 12:0 a.m.5 views

PT-2026-28364

Name of the Vulnerable Software and Affected Versions Doveadm affected versions not specified Description Doveadm credentials are verified using direct comparison, which is susceptible to a timing oracle attack. An attacker could potentially determine the configured credentials, leading to full...

7.7CVSS5.9AI score0.0079EPSS
Exploits7References31
Mageia
Mageia
added 2025/02/17 6:37 p.m.55 views

Updated python-cryptography & openssl packages fix security vulnerabilities

Cryptography vulnerable to NULL-dereference when loading PKCS7 certificates. CVE-2023-49083 Python-cryptography: bleichenbacher timing oracle attack against rsa decryption - incomplete fix for cve-2020-25659. CVE-2023-50782 Cryptography NULL pointer deference with pkcs12.serializekeyandcertificat...

7.5CVSS7.3AI score0.01118EPSS
Exploits1References4
OSV
OSV
added 2025/02/17 6:37 p.m.25 views

MGASA-2025-0069 Updated python-cryptography & openssl packages fix security vulnerabilities

Cryptography vulnerable to NULL-dereference when loading PKCS7 certificates. CVE-2023-49083 Python-cryptography: bleichenbacher timing oracle attack against rsa decryption - incomplete fix for cve-2020-25659. CVE-2023-50782 Cryptography NULL pointer deference with pkcs12.serializekeyandcertificat...

7.5CVSS7.7AI score0.01118EPSS
Exploits1References5
Tenable Nessus
Tenable Nessus
added 2024/06/03 12:0 a.m.14 views

RHEL 7 : cryptography (Unpatched Vulnerability)

The remote Redhat Enterprise Linux 7 host has one or more packages installed that are affected by a vulnerability that has been acknowledged by the vendor but will not be patched. - python-cryptography: Bleichenbacher timing oracle attack against RSA decryption CVE-2020-25659 Note that Nessus has...

5.9CVSS6.9AI score0.02454EPSS
Exploits0References1
OpenVAS
OpenVAS
added 2024/03/04 12:0 a.m.40 views

openSUSE: Security Advisory for openssl (SUSE-SU-2023:0305-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

7.5CVSS7.6AI score0.59501EPSS
Exploits0References2
OpenVAS
OpenVAS
added 2024/03/04 12:0 a.m.37 views

openSUSE: Security Advisory for openssl (SUSE-SU-2023:0311-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

7.5CVSS7.6AI score0.59501EPSS
Exploits0References2
OpenVAS
OpenVAS
added 2024/02/28 12:0 a.m.22 views

SUSE: Security Advisory (SUSE-SU-2023:2634-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

5.9CVSS7.3AI score0.16195EPSS
Exploits0References4
Github Security Blog
Github Security Blog
added 2024/02/05 9:30 p.m.159 views

Python Cryptography package vulnerable to Bleichenbacher timing oracle attack

A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data...

7.5CVSS6.7AI score0.01118EPSS
Exploits0References6Affected Software1
Rows per page
Query Builder