937 matches found
Timing Attack
laravel is vulnerable to timing attacks. The library does not compare the rememberme token in constant time, allowing malicious users to guess the valid token based on the time that a comparison takes...
Timing Attack
namshi/jose is vulnerable to timing attack. The vulnerability exists because it does not use a constant-time comparison when verifying HMAC values...
CVE-2017-14775
Laravel before 5.5.10 mishandles the rememberme token verification process because DatabaseUserProvider does not have constant-time token comparison...
CVE-2017-14775
Laravel before 5.5.10 mishandles the rememberme token verification process because DatabaseUserProvider does not have constant-time token comparison...
CVE-2017-14775
Laravel before 5.5.10 mishandles the rememberme token verification process because DatabaseUserProvider does not have constant-time token comparison...
Timing Attack
laravel/framework is vulnerable to timing attacks. The library does not compare rememberme tokens in constant-time, which allows attackers to use the timing of the request to progressively identify a valid token...
Timing Attack
emarref/jwt is vulnerable to a timing attack. It is possible because the verify function in Symmetric.php does not compare hashes in constant time, allowing malicious users to guess valid hashes based on the time that a comparison takes...
Timing Attack
craftcms/cms is vulnerable to timing attack. The application uses the strcmp function that compares hashes in non-constant time, allowing an attacker to use the timing of the request to progressively identify the current PHP session id...
Timing Attack
automattic/jetpack is vulnerable to timing attacks. This vulnerability is caused because the signatures are not compared in constant time, allowing malicious users to guess the valid signatures based on the time that a comparison takes...
Timing Attack
jetpack is vulnerable to timing attacks. This vulnerability is caused because the HMAC hashes are not compared in constant time, allowing malicious users to guess the valid HMAC hashes based on the time that a comparison takes...
Timing Attack
stripeevent is vulnerable to timing attacks. It does not do password comparison in constant time, because it uses a non-constant character to character comparison. Attackers can exploit this difference to perform a timing attack, essentially allowing them to guess the password one character at a...
BSA-2017-383
Security Advisory ID : BSA-2017-383 Component : OpenSSL Revision : 2.0: Interim The signing function in crypto/ecdsa/ecdsaossl.c in certain OpenSSL versions and forks is vulnerable to timing attacks when signing with the standardized elliptic curve P-256 despite featuring constant-time curve...
Timing Attacks
Malcolm Fell jwt is vulnerable to timing attacks. The library does not compare hashes in constant time, which allows malicious users to use the timing of the request to progressively identify a valid hash...
CVE-2017-5361
Request Tracker RT 4.x before 4.0.25, 4.2.x before 4.2.14, and 4.4.x before 4.4.2 does not use a constant-time comparison algorithm for secrets, which makes it easier for remote attackers to obtain sensitive user password information via a timing side-channel attack...
DEBIAN-CVE-2017-5361
Request Tracker RT 4.x before 4.0.25, 4.2.x before 4.2.14, and 4.4.x before 4.4.2 does not use a constant-time comparison algorithm for secrets, which makes it easier for remote attackers to obtain sensitive user password information via a timing side-channel attack...
UBUNTU-CVE-2017-5361
Request Tracker RT 4.x before 4.0.25, 4.2.x before 4.2.14, and 4.4.x before 4.4.2 does not use a constant-time comparison algorithm for secrets, which makes it easier for remote attackers to obtain sensitive user password information via a timing side-channel attack...
openssl: Non-constant time codepath followed for certain operations in DSA implementation
It was discovered that OpenSSL did not always use constant time operations when computing Digital Signature Algorithm DSA signatures. A local attacker could possibly use this flaw to obtain a private DSA key belonging to another user or service running on the same system...
openssl: Non-constant time codepath followed for certain operations in DSA implementation
It was discovered that OpenSSL did not always use constant time operations when computing Digital Signature Algorithm DSA signatures. A local attacker could possibly use this flaw to obtain a private DSA key belonging to another user or service running on the same system...
Code injection
In Libgcrypt before 1.7.7, an attacker who learns the EdDSA session key from side-channel observation during the signing process can easily recover the long-term secret key. 1.7.7 makes a cipher/ecc-eddsa.c change to store this session key in secure memory, to ensure that constant-time point...
CVE-2017-9526
In Libgcrypt before 1.7.7, an attacker who learns the EdDSA session key from side-channel observation during the signing process can easily recover the long-term secret key. 1.7.7 makes a cipher/ecc-eddsa.c change to store this session key in secure memory, to ensure that constant-time point...