Lucene search
K

920 matches found

OSV
OSV
added 2026/04/24 8:36 p.m.6 views

GHSA-6X2Q-H3CR-8J2H Traefik: A timing side-channel vulnerability allows for valid username enumeration via BasicAuth middleware

Summary There is a timing side-channel vulnerability in Traefik's BasicAuth middleware that allows an attacker to enumerate valid usernames through response-time differences. The variable intended to hold a constant-time fallback secret always resolves to an empty string, causing the constant-tim...

6.3CVSS5.8AI score0.00369EPSS
Exploits0References6
Github Security Blog
Github Security Blog
added 2026/04/24 8:36 p.m.13 views

Traefik: A timing side-channel vulnerability allows for valid username enumeration via BasicAuth middleware

Summary There is a timing side-channel vulnerability in Traefik's BasicAuth middleware that allows an attacker to enumerate valid usernames through response-time differences. The variable intended to hold a constant-time fallback secret always resolves to an empty string, causing the constant-tim...

6.3CVSS6.1AI score0.00385EPSS
Exploits0References6Affected Software3
Snyk
Snyk
added 2026/04/23 12:0 a.m.5 views

Timing Attack

Overview Affected versions of this package are vulnerable to Timing Attack in DevTool due to comparing the user-provided "remote secret" against the actual secret using standard string comparison logic like String.equals or ==. Standard string comparisons are not constant-time. They evaluate...

7.7CVSS5.5AI score0.00262EPSS
Exploits0References2
Tenable Nessus
Tenable Nessus
added 2026/04/21 12:0 a.m.6 views

Unity Linux 20.1050e / 20.1070e Security Update: kernel (UTSA-2026-011046)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-011046 advisory. In the Linux kernel, the following vulnerability has been resolved: sctp: Fix MAC comparison to be constant-time To prevent timing attacks, MACs need to be compared ...

5.6AI score0.00193EPSS
Exploits0References4
Tenable Nessus
Tenable Nessus
added 2026/04/21 12:0 a.m.6 views

Unity Linux 20.1070a Security Update: kernel (UTSA-2026-013091)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-013091 advisory. In the Linux kernel, the following vulnerability has been resolved: sctp: Fix MAC comparison to be constant-time To prevent timing attacks, MACs need to be compared ...

5.6AI score0.00193EPSS
Exploits0References4
EUVD
EUVD
added 2026/04/17 6:31 p.m.6 views

EUVD-2026-22872

Covert timing channel vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA core on all core modules. Non-constant time comparisons risk private key leakage in FrodoKEM. This issue affects BC-JAVA: from 2.17.3 before 1.84...

10CVSS5.8AI score0.00691EPSS
Exploits0References2
Tenable Nessus
Tenable Nessus
added 2026/04/17 12:0 a.m.7 views

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: kernel (UTSA-2026-007335)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-007335 advisory. In the Linux kernel, the following vulnerability has been resolved: sctp: Fix MAC comparison to be constant-time To prevent timing attacks, MACs need to be compared ...

5.6AI score0.00193EPSS
Exploits0References4
OSV
OSV
added 2026/04/16 11:36 p.m.5 views

BIT-AUTHENTIK-2024-52307 authentik allows a timing attack due to missing constant time comparison for metrics view

authentik is an open-source identity provider. Due to the usage of a non-constant time comparison for the /-/metrics/ endpoint it was possible to brute-force the SECRETKEY, which is used to authenticate the endpoint. The /-/metrics/ endpoint returns Prometheus metrics and is not intended to be...

6.3CVSS5.5AI score0.00531EPSS
Exploits0References4
OSV
OSV
added 2026/04/16 9:10 p.m.6 views

GHSA-WQQ3-WFMP-V85G Mojic: Observable Timing Discrepancy in HMAC Verification

Summary The CipherEngine in Mojic v2.1.3 uses a standard equality operator !== to verify the HMAC-SHA256 integrity seal during the decryption phase. This creates an Observable Timing Discrepancy CWE-208, allowing a potential attacker to bypass the file integrity check via a timing attack. Details...

4.7CVSS6AI score0.00108EPSS
Exploits0References3
Github Security Blog
Github Security Blog
added 2026/04/16 9:10 p.m.9 views

Mojic: Observable Timing Discrepancy in HMAC Verification

Summary The CipherEngine in Mojic v2.1.3 uses a standard equality operator !== to verify the HMAC-SHA256 integrity seal during the decryption phase. This creates an Observable Timing Discrepancy CWE-208, allowing a potential attacker to bypass the file integrity check via a timing attack. Details...

4.7CVSS6AI score0.00108EPSS
Exploits0References3Affected Software1
OSV
OSV
added 2026/04/15 10:16 a.m.10 views

DEBIAN-CVE-2026-5598

Covert timing channel vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA core on all core modules. This vulnerability is associated with program files FrodoEngine.Java. This issue affects BC-JAVA: from 1.71 before 1.80.2, from 1.81 before 1.81.1, from 1.82 before 1.84...

9.9CVSS7.2AI score0.00691EPSS
Exploits0References1
NVD
NVD
added 2026/04/15 10:16 a.m.5 views

CVE-2026-5598

Covert timing channel vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA core on all core modules. This vulnerability is associated with program files FrodoEngine.Java. This issue affects BC-JAVA: from 1.71 before 1.80.2, from 1.81 before 1.81.1, from 1.82 before 1.84...

9.9CVSS0.00691EPSS
Exploits0References11
Debian CVE
Debian CVE
added 2026/04/15 9:5 a.m.5 views

CVE-2026-5598

Covert timing channel vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA core on all core modules. This vulnerability is associated with program files FrodoEngine.Java. This issue affects BC-JAVA: from 1.71 before 1.80.2, from 1.81 before 1.81.1, from 1.82 before 1.84...

9.9CVSS7.2AI score0.00691EPSS
Exploits0
CNNVD
CNNVD
added 2026/04/15 12:0 a.m.8 views

Bouncy Castle Java 安全漏洞

Bouncy Castle Java is an open-source encryption algorithm developed by Legion of the Bouncy Castle Inc. There were security vulnerabilities in Bouncy Castle Java versions from 2.17.3 to 1.84. These vulnerabilities stemmed from non-constant time comparisons, which could lead to the exposure of the...

9.9CVSS7.1AI score0.00691EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/04/15 12:0 a.m.7 views

PT-2026-33032

Name of the Vulnerable Software and Affected Versions BC-JAVA versions 1.71 through 1.83 Description A covert timing channel exists in the BC-JAVA core modules, specifically associated with the program files FrodoEngine.Java. A covert timing channel is a method of transferring information from on...

9.9CVSS6.3AI score0.00691EPSS
Exploits0References134
RedHat Linux
RedHat Linux
added 2026/04/13 3:0 a.m.5 views

Node.js: Node.js: Information disclosure via timing oracle in HMAC verification

A flaw was found in Node.js. The HMAC Hash-based Message Authentication Code verification process uses a comparison method that does not take a constant amount of time. This non-constant-time comparison can leak timing information, which, under specific conditions where precise timing measurement...

5.9CVSS6.5AI score0.00385EPSS
Exploits0References5
OSV
OSV
added 2026/04/07 6:16 p.m.5 views

GHSA-JJ6Q-RRRF-H66H OpenClaw: Shared-secret comparison call sites leaked length information through timing

Summary Before OpenClaw 2026.4.2, several shared-secret comparison call sites still used early length-mismatch checks instead of the shared fixed-length comparison helper. Those paths could leak secret-length information through measurable timing differences. Impact The affected paths exposed a...

6.3CVSS5.8AI score0.00225EPSS
Exploits0References5
Snyk
Snyk
added 2026/04/01 12:0 a.m.2 views

Covert Timing Channel

Overview Affected versions of this package are vulnerable to Covert Timing Channel via timing differences in RSA and CBC/ECB decryption operations when the LLVM compiler's select-optimize feature is enabled. An attacker can infer sensitive information, such as cryptographic keys, by analyzing the...

5.9CVSS5.8AI score0.0027EPSS
Exploits0References2
FreeBSD
FreeBSD
added 2026/03/31 12:0 a.m.12 views

Mbed TLS -- vulnerabilities

https://mbed-tls.readthedocs.io/en/latest/security-advisories/ reports: Client impersonation while resuming a TLS 1.3 session CVE-2026-34873 Entropy on Linux can fall back to /dev/urandom CVE-2026-34871 PSA random generator cloning CVE-2026-25835 Compiler-induced constant-time violations...

9.8CVSS5.9AI score0.00426EPSS
Exploits0References1
NVD
NVD
added 2026/03/30 8:16 p.m.5 views

CVE-2026-21713

A flaw in Node.js HMAC verification uses a non-constant-time comparison when validating user-provided signatures, potentially leaking timing information proportional to the number of matching bytes. Under certain threat models where high-resolution timing measurements are possible, this behavior...

5.9CVSS0.00385EPSS
Exploits0References1
Rows per page
Query Builder