Lucene search
+L

937 matches found

Veracode
Veracode
added 2017/11/13 5:54 a.m.20 views

Timing Attack

laravel is vulnerable to timing attacks. The library does not compare the rememberme token in constant time, allowing malicious users to guess the valid token based on the time that a comparison takes...

5.9CVSS5.6AI score0.01193EPSS
Exploits0References4Affected Software1
Veracode
Veracode
added 2017/10/10 2:38 a.m.13 views

Timing Attack

namshi/jose is vulnerable to timing attack. The vulnerability exists because it does not use a constant-time comparison when verifying HMAC values...

6.6AI score
Exploits0
NVD
NVD
added 2017/09/28 1:29 a.m.21 views

CVE-2017-14775

Laravel before 5.5.10 mishandles the rememberme token verification process because DatabaseUserProvider does not have constant-time token comparison...

5.9CVSS5.7AI score0.01193EPSS
Exploits0References3
Cvelist
Cvelist
added 2017/09/27 4:0 p.m.24 views

CVE-2017-14775

Laravel before 5.5.10 mishandles the rememberme token verification process because DatabaseUserProvider does not have constant-time token comparison...

5.7AI score0.01193EPSS
Exploits0References3
Debian CVE
Debian CVE
added 2017/09/27 4:0 p.m.67 views

CVE-2017-14775

Laravel before 5.5.10 mishandles the rememberme token verification process because DatabaseUserProvider does not have constant-time token comparison...

5.9CVSS5.7AI score0.01193EPSS
Exploits0
Veracode
Veracode
added 2017/09/22 8:28 a.m.11 views

Timing Attack

laravel/framework is vulnerable to timing attacks. The library does not compare rememberme tokens in constant-time, which allows attackers to use the timing of the request to progressively identify a valid token...

6.6AI score
Exploits0
Veracode
Veracode
added 2017/09/22 7:24 a.m.10 views

Timing Attack

emarref/jwt is vulnerable to a timing attack. It is possible because the verify function in Symmetric.php does not compare hashes in constant time, allowing malicious users to guess valid hashes based on the time that a comparison takes...

6.5AI score
Exploits0
Veracode
Veracode
added 2017/09/15 8:44 a.m.14 views

Timing Attack

craftcms/cms is vulnerable to timing attack. The application uses the strcmp function that compares hashes in non-constant time, allowing an attacker to use the timing of the request to progressively identify the current PHP session id...

6.7AI score
Exploits0
Veracode
Veracode
added 2017/09/05 12:29 p.m.11 views

Timing Attack

automattic/jetpack is vulnerable to timing attacks. This vulnerability is caused because the signatures are not compared in constant time, allowing malicious users to guess the valid signatures based on the time that a comparison takes...

6.5AI score
Exploits0
Veracode
Veracode
added 2017/09/05 10:34 a.m.17 views

Timing Attack

jetpack is vulnerable to timing attacks. This vulnerability is caused because the HMAC hashes are not compared in constant time, allowing malicious users to guess the valid HMAC hashes based on the time that a comparison takes...

6.5AI score
Exploits0
Veracode
Veracode
added 2017/08/29 5:34 a.m.5 views

Timing Attack

stripeevent is vulnerable to timing attacks. It does not do password comparison in constant time, because it uses a non-constant character to character comparison. Attackers can exploit this difference to perform a timing attack, essentially allowing them to guess the password one character at a...

6.8AI score
Exploits0
Broadcom
Broadcom
added 2017/08/25 12:0 a.m.9 views

BSA-2017-383

Security Advisory ID : BSA-2017-383 Component : OpenSSL Revision : 2.0: Interim The signing function in crypto/ecdsa/ecdsaossl.c in certain OpenSSL versions and forks is vulnerable to timing attacks when signing with the standardized elliptic curve P-256 despite featuring constant-time curve...

5.5CVSS9.2AI score0.00594EPSS
Exploits0
Veracode
Veracode
added 2017/07/25 10:24 p.m.14 views

Timing Attacks

Malcolm Fell jwt is vulnerable to timing attacks. The library does not compare hashes in constant time, which allows malicious users to use the timing of the request to progressively identify a valid hash...

7.5CVSS7.3AI score0.00724EPSS
Exploits0References1Affected Software1
NVD
NVD
added 2017/07/03 4:29 p.m.27 views

CVE-2017-5361

Request Tracker RT 4.x before 4.0.25, 4.2.x before 4.2.14, and 4.4.x before 4.4.2 does not use a constant-time comparison algorithm for secrets, which makes it easier for remote attackers to obtain sensitive user password information via a timing side-channel attack...

5.9CVSS5.9AI score0.01368EPSS
Exploits0References3
OSV
OSV
added 2017/07/03 4:29 p.m.4 views

DEBIAN-CVE-2017-5361

Request Tracker RT 4.x before 4.0.25, 4.2.x before 4.2.14, and 4.4.x before 4.4.2 does not use a constant-time comparison algorithm for secrets, which makes it easier for remote attackers to obtain sensitive user password information via a timing side-channel attack...

5.9CVSS6.6AI score0.01368EPSS
Exploits0References1
OSV
OSV
added 2017/07/03 4:29 p.m.3 views

UBUNTU-CVE-2017-5361

Request Tracker RT 4.x before 4.0.25, 4.2.x before 4.2.14, and 4.4.x before 4.4.2 does not use a constant-time comparison algorithm for secrets, which makes it easier for remote attackers to obtain sensitive user password information via a timing side-channel attack...

5.9CVSS7.3AI score0.01368EPSS
Exploits0References2
RedHat Linux
RedHat Linux
added 2017/06/28 8:20 p.m.7 views

openssl: Non-constant time codepath followed for certain operations in DSA implementation

It was discovered that OpenSSL did not always use constant time operations when computing Digital Signature Algorithm DSA signatures. A local attacker could possibly use this flaw to obtain a private DSA key belonging to another user or service running on the same system...

5.5CVSS7.2AI score0.01174EPSS
Exploits1References6
RedHat Linux
RedHat Linux
added 2017/06/28 7:59 p.m.6 views

openssl: Non-constant time codepath followed for certain operations in DSA implementation

It was discovered that OpenSSL did not always use constant time operations when computing Digital Signature Algorithm DSA signatures. A local attacker could possibly use this flaw to obtain a private DSA key belonging to another user or service running on the same system...

5.5CVSS7.2AI score0.01174EPSS
Exploits1References6
Prion
Prion
added 2017/06/11 2:29 a.m.21 views

Code injection

In Libgcrypt before 1.7.7, an attacker who learns the EdDSA session key from side-channel observation during the signing process can easily recover the long-term secret key. 1.7.7 makes a cipher/ecc-eddsa.c change to store this session key in secure memory, to ensure that constant-time point...

4.3CVSS6.7AI score0.02318EPSS
Exploits0References7Affected Software1
OSV
OSV
added 2017/06/11 2:29 a.m.18 views

CVE-2017-9526

In Libgcrypt before 1.7.7, an attacker who learns the EdDSA session key from side-channel observation during the signing process can easily recover the long-term secret key. 1.7.7 makes a cipher/ecc-eddsa.c change to store this session key in secure memory, to ensure that constant-time point...

5.9CVSS6.5AI score
Exploits0References7
Rows per page
Query Builder