8 matches found
GHSA-QHXG-623C-CFJM NocoDB: Plaintext Password Comparison in Shared Views
Summary The shared-view password check fell back to strict-equality === comparison for legacy plaintext passwords, leaking the password's length and per-character prefix through response timing. Details The bcrypt branch hashes starting with $2a$/$2b$ was unaffected. The legacy fallback in View.t...
CVE-2026-41407
OpenClaw before 2026.4.2 contains a timing side channel vulnerability in shared-secret comparison call sites that use early length-mismatch checks instead of fixed-length comparison helpers. Attackers can measure timing differences to leak secret-length information, weakening constant-time handli...
PT-2026-35790
Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.4.2 Description A timing side channel occurs in shared-secret comparison call sites that utilize early length-mismatch checks rather than fixed-length comparison helpers. This allows attackers to measure timing...
SUSE CVE-2025-26695
When requesting an OpenPGP key from a WKD server, an incorrect padding size was used and a network observer could have learned the length of the requested email address. This vulnerability was fixed in Thunderbird 136 and Thunderbird 128.8...
Mozilla: Cross-Origin resource's length leaked
The Mozilla Foundation Security Advisory describes this flaw as: A malicious website that could have learned the size of a cross-origin resource that supported Range requests...
Mozilla: Cross-Origin resource's length leaked
The Mozilla Foundation Security Advisory describes this flaw as: A malicious website that could have learned the size of a cross-origin resource that supported Range requests...
Timing Attack
elliptic is vulnerable to timing attack. The leakage of bit-length of a scalar during scalar multiplication on an elliptic curve is possible and can lead to the recovery of the private key under specific conditions...
DEBIAN-CVE-2012-4929
The TLS protocol 1.2 and earlier, as used in Mozilla Firefox, Google Chrome, Qt, and other products, can encrypt compressed data without properly obfuscating the length of the unencrypted data, which allows man-in-the-middle attackers to obtain plaintext HTTP headers by observing length differenc...