Important: Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.4.24 security update

A security update is now available for Red Hat JBoss Enterprise Application Platform 7.4. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each...

OpenClaw 安全漏洞

OpenClaw is an intelligent artificial assistant open-sourced by OpenClaw. OpenClaw suffers from a security vulnerability that stems from the use of non-constant time string comparisons for hook token validation, which can be exploited by an attacker to infer a token via a timed side channel...

EUVD-2024-2372

Malicious code in bioql PyPI...

CVE-2024-41828

CVE-2024-41828 affects JetBrains TeamCity prior to 2024.07, where the comparison of authorization tokens is performed in non-constant time. Red Hat and vendor advisories corroborate this, indicating the root cause is timing-related handling of tokens that can impact confidentiality. The vulnerabi...

GHSA-J8CM-G7R6-HFPQ vodozemac's usage of non-constant time base64 decoder could lead to leakage of secret key material

Versions before 0.7.0 of vodozemac use a non-constant time base64 implementation for importing key material for Megolm group sessions and PkDecryption Ed25519 secret keys. This flaw might allow an attacker to infer some information about the secret key material through a side-channel attack. Impa...

RUSTSEC-2024-0354 Usage of non-constant time base64 decoder could lead to leakage of secret key material

Versions before 0.7.0 of vodozemac use a non-constant time base64 implementation for importing key material for Megolm group sessions and PkDecryption Ed25519 secret keys. This flaw might allow an attacker to infer some information about the secret key material through a side-channel attack. Impa...

Authentication flaw

libjwt 1.15.3 uses strcmp which is not constant time to verify authentication, which makes it easier to bypass authentication via a timing side channel...

CVE-2024-23903

Jenkins GitLab Branch Source Plugin 684.veafa7c1e2fe3 and earlier uses a non-constant time comparison function when checking whether the provided and expected webhook token are equal, potentially allowing attackers to use statistical methods to obtain a valid webhook token...

GHSA-2XPQ-5952-38W3 Jenkins MSTeams Webhook Trigger Plugin uses non-constant time webhook token comparison

Jenkins MSTeams Webhook Trigger Plugin 0.1.1 and earlier does not use a constant-time comparison when checking whether the provided and expected webhook token are equal. This could potentially allow attackers to use statistical methods to obtain a valid webhook token. As of publication of this...

CVE-2023-46657

Jenkins Gogs Plugin 1.0.15 and earlier uses a non-constant time comparison function when checking whether the provided and expected webhook token are equal, potentially allowing attackers to use statistical methods to obtain a valid webhook token...

CVE-2023-46660

Jenkins Zanata Plugin 0.6 and earlier uses a non-constant time comparison function when checking whether the provided and expected webhook token hashes are equal, potentially allowing attackers to use statistical methods to obtain a valid webhook token...

Non-constant time nonce comparison in Jenkins Microsoft Entra ID (previously Azure AD) Plugin

Jenkins Azure AD Plugin 396.v86ce29279947 and earlier, except 378.380.v545b1154b3fb, uses a non-constant time comparison function when checking whether the provided and expected CSRF protection nonce are equal, potentially allowing attackers to use statistical methods to obtain a valid nonce...

GO-2023-1733 Timing attack from non-constant time scalar arithmetic in github.com/bnb-chain/tss-lib

Timing attack from non-constant time scalar arithmetic in github.com/bnb-chain/tss-lib...

GO-2023-1732 Timing attack from non-constant time scalar multiplication in github.com/bnb-chain/tss-lib

Timing attack from non-constant time scalar multiplication in github.com/bnb-chain/tss-lib...

Timing Attack

saleor is vulnerable to a Timing Attack. The vulnerability exists due the validatehmacsignature function which has a non constant time that can allow an attacker to infer the secret key or forge fake events...

IO FinNet tss-lib vulnerable to timing attack from non-constant time scalar arithmetic

io.finnet tss-lib before 2.0.0 can leak the lambda value of a private key via a timing side-channel attack because it relies on Go big.Int, which is not constant time for Cmp, modular exponentiation, or modular inverse. An example leak is in crypto/paillier/paillier.go. bnb-chain/tss-lib and...

CVE-2023-26556

io.finnet tss-lib before 2.0.0 can leak a secret key via a timing side-channel attack because it relies on the scalar-multiplication implementation in Go crypto/elliptic, which is not constant time there is an if statement in a loop. One leak is in ecdsa/keygen/round2.go. bnb-chain/tss-lib and...

Observable Discrepancy

io.finnet tss-lib before 2.0.0 can leak a secret key via a timing side-channel attack because it relies on the scalar-multiplication implementation in Go crypto/elliptic, which is not constant time there is an if statement in a loop. One leak is in ecdsa/keygen/round2.go. bnb-chain/tss-lib and...

Design/Logic Flaw

The elliptic curve cryptography ECC hardware accelerator, part of the ARM® TrustZone® CryptoCell 310, contained in the NordicSemiconductor nRF52840 through 2021-03-29 has a non-constant time ECDSA implemenation. This allows an adversary to recover the private ECC key used during an ECDSA operatio...

CVE-2020-2102

Jenkins 2.218 and earlier, LTS 2.204.1 and earlier used a non-constant time comparison function when validating an HMAC...