5 matches found
GHSA-JR54-JWHJ-55GP NocoDB: User Enumeration via Sign-In Timing
Summary Sign-in response timing differed between known and unknown email addresses because the unknown-user branch returned without performing a password hash comparison. Details The unknown-user branch in auth.service.ts now performs a bcrypt.compare against a fixed dummy hash so the response ti...
NocoDB: User Enumeration via Sign-In Timing
Summary Sign-in response timing differed between known and unknown email addresses because the unknown-user branch returned without performing a password hash comparison. Details The unknown-user branch in auth.service.ts now performs a bcrypt.compare against a fixed dummy hash so the response ti...
GHSA-MMPQ-5HCV-HF2V Parse Server has a login timing side-channel reveals user existence
Impact The login endpoint response time differs measurably depending on whether the submitted username or email exists in the database. When a user is not found, the server responds immediately. When a user exists but the password is wrong, a bcrypt comparison runs first, adding significant...
Parse Server has a login timing side-channel reveals user existence
Impact The login endpoint response time differs measurably depending on whether the submitted username or email exists in the database. When a user is not found, the server responds immediately. When a user exists but the password is wrong, a bcrypt comparison runs first, adding significant...
GHSA-6F65-4FV2-WWCH Vendure vulnerable to timing attack that enables user enumeration in NativeAuthenticationStrategy
Summary The NativeAuthenticationStrategy.authenticate method is vulnerable to a timing attack that allows attackers to enumerate valid usernames email addresses. Details In packages/core/src/config/auth/native-authentication-strategy.ts, the authenticate method returns immediately if a user is no...