36 matches found
USN-8320-1: Memcached vulnerabilities
It was discovered that Memcached's SASL password database authentication had a timing side channel when handling username and password data. A remote attacker could possibly use this issue to obtain sensitive information...
Memcached 安全漏洞
Memcached is a high-performance distributed memory object caching system developed by the Memcached community in the United States. Versions of Memcached prior to 1.6.42 contained a security vulnerability. This vulnerability stemmed from a timing side channel in the SASL password database...
Ubuntu 22.04 LTS / 24.04 LTS / 25.10 / 26.04 LTS : Apache HTTP Server vulnerabilities (USN-8239-1)
The remote Ubuntu 22.04 LTS / 24.04 LTS / 25.10 / 26.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-8239-1 advisory. Bartlomiej Dmitruk and Stanislaw Strzalkowski discovered that Apache HTTP Server incorrectly handled certain memory...
GO-2026-4820 FileBrowser Quantum has Username Enumeration via Authentication Timing Side-Channel in github.com/gtsteffaniak/filebrowser/backend
FileBrowser Quantum has Username Enumeration via Authentication Timing Side-Channel in github.com/gtsteffaniak/filebrowser/backend...
GHSA-7789-65HX-F26W FileBrowser Quantum has Username Enumeration via Authentication Timing Side-Channel
Summary The /api/auth/login authentication endpoint does not execute in constant time. When a non-existent username is supplied, the server returns a 401/403 response almost immediately. When a valid username is provided, the server performs a bcrypt password comparison, causing a measurable dela...
FileBrowser Quantum has Username Enumeration via Authentication Timing Side-Channel
Summary The /api/auth/login authentication endpoint does not execute in constant time. When a non-existent username is supplied, the server returns a 401/403 response almost immediately. When a valid username is provided, the server performs a bcrypt password comparison, causing a measurable dela...
Fedora 42 : python-django4.2 (2026-ca3d81129a)
The remote Fedora 42 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2026-ca3d81129a advisory. - Fixes CVE-2025-13473: Username enumeration through timing difference in modwsgi authentication handler - Fixes CVE-2025-14550: Potential...
Fedora 42 : python-django5 (2026-00b5bf3150)
The remote Fedora 42 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2026-00b5bf3150 advisory. - Fixes CVE-2025-13473: Username enumeration through timing difference in modwsgi authentication handler - Fixes CVE-2025-14550: Potential...
GHSA-QHP6-635J-X7R2 Static Web Server affected by timing-based username enumeration in Basic Authentication due to early response on invalid usernames
Summary A Timing-based username enumeration in Basic Authentication vulnerability due to early response on invalid usernames could allow attackers to identify valid users and focus their efforts on targeted brute-force or credential-stuffing attacks. Details SWS validates the provided username...
User Enumeration
Django is vulnerable to user enumeration. The vulnerability is due to improper handling of authentication timing differences in the django.contrib.auth.handlers.modwsgi.checkpassword function when used with modwsgi, which allows a remote attacker to enumerate valid users by measuring response tim...
Timing Attack
Overview org.apache.shiro:shiro-core is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management. Affected versions of this package are vulnerable to Timing Attack in the authentication process. An attacker can infer the...
OPENSUSE-SU-2026:20184-1 Security update for python-Django
This update for python-Django fixes the following issues: Changes in python-Django: - CVE-2026-1312: Fixed potential SQL injection via QuerySet.orderby and FilteredRelation bsc1257408. - CVE-2026-1287: Fixed potential SQL injection in column aliases via control characters bsc1257407. -...
Exploit for CVE-2026-25050
CVE-2026-25050 – Authentication Timing Attack This repository...
EUVD-2025-206342
Tomahawk auth timing attack due to usage of strcmp has been identified in Hiawatha webserver version 11.7 which allows a local attacker to access the management client...
CVE-2025-57784
Tomahawk auth timing attack due to usage of strcmp has been identified in Hiawatha webserver version 11.7 which allows a local attacker to access the management client...
CVE-2025-57784
CVE-2025-57784 refers to a Tomahawk authentication timing attack in the Hiawatha webserver (version 11.7) caused by the use of strcmp in the admin handling path, which could enable a local attacker to access the management client. The Red Hat and CVE records corroborate the issue as a local-timin...
CVE-2026-23849
File Browser provides a file managing interface within a specified directory and can be used to upload, delete, preview, rename, and edit files. Prior to version 2.55.0, the JSONAuth. Auth function contains a logic flaw that allows unauthenticated attackers to enumerate valid usernames by measuri...
CVE-2025-62181
Pega Platform versions 7.1.0 through Infinity 25.1.0 are affected by a User Enumeration. This issue occurs during user authentication process, where a difference in response time could allow a remote unauthenticated user to determine if a username is valid or not. This only applies to deprecated...
EUVD-2025-202616
Pega Platform versions 7.1.0 through Infinity 25.1.0 are affected by a User Enumeration. This issue occurs during user authentication process, where a difference in response time could allow a remote unauthenticated user to determine if a username is valid or not. This only applies to deprecated...
CVE-2025-62181
Pega Platform versions 7.1.0 through Infinity 25.1.0 are affected by a User Enumeration. This issue occurs during user authentication process, where a difference in response time could allow a remote unauthenticated user to determine if a username is valid or not. This only applies to deprecated...