3236 matches found
CVE-2025-59350 Timing attacks against Proxy’s basic authentication are possible
Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, the access control mechanism for the Proxy feature uses simple string comparisons and is therefore vulnerable to timing attacks. An attacker may try to guess the password one character at a time...
Dragonfly 安全漏洞
Dragonfly is an open source framework from DragonflyDB that allows dynamic processing of any content type. A security vulnerability exists in Dragonfly versions prior to 2.1.0, which stems from the proxy function access control mechanism using simple string comparisons, which is vulnerable to...
PT-2025-38261
Name of the Vulnerable Software and Affected Versions Dragonfly versions prior to 2.1.0 Description The access control mechanism for the Proxy feature uses simple string comparisons and is vulnerable to timing attacks. An attacker may attempt to guess the password character by character by sendin...
Timing Attack
Overview Affected versions of this package are vulnerable to Timing Attack via the verifyClientProof function which use Arrays.equals function. An attacker can infer sensitive authentication material by exploiting timing differences during the comparison of secret values. Remediation Upgrade...
Timing Attack Vulnerability in SCRAM Authentication
Impact A timing attack vulnerability exists in the SCRAM Java implementation. The issue arises because Arrays.equals was used to compare secret values such as client proofs and server signatures. Since Arrays.equals performs a short-circuit comparison, the execution time varies depending on how...
GHSA-3WFH-36RX-9537 Timing Attack Vulnerability in SCRAM Authentication
Impact A timing attack vulnerability exists in the SCRAM Java implementation. The issue arises because Arrays.equals was used to compare secret values such as client proofs and server signatures. Since Arrays.equals performs a short-circuit comparison, the execution time varies depending on how...
PT-2025-38753
Name of the Vulnerable Software and Affected Versions versions prior to 3.2 Description A timing attack issue exists in the SCRAM Java implementation due to the use of Arrays.equals for comparing sensitive values like client proofs and server signatures. Arrays.equals performs a short-circuit...
CVE-2025-59058
httpsig-rs is a Rust implementation of IETF RFC 9421 http message signatures. Prior to version 0.0.19, the HMAC signature comparison is not timing-safe. This makes anyone who uses HS256 signature verification vulnerable to a timing attack that allows the attacker to forge a signature. Version...
Timing Attack
Overview Affected versions of this package are vulnerable to Timing Attack in the SharedKey::sign function. An attacker can potentially forge signatures by exploiting differences in processing time during HMAC signature verification. Remediation Upgrade httpsig to version 0.0.19 or higher...
httpsig-rs: HMAC verification is vulnerable to timing attack
Summary HMAC signature comparison is not timing-safe and is vulnerable to timing attacks. Details SharedKey::sign returns a Vec which has a non-constant-time equality implementation. Hmac::finalize returns a constant-time wrapper CtOutput which was discarded. Alternatively, Hmac has a constant-ti...
GHSA-Q7PG-9PR4-MRP2 httpsig-rs: HMAC verification is vulnerable to timing attack
Summary HMAC signature comparison is not timing-safe and is vulnerable to timing attacks. Details SharedKey::sign returns a Vec which has a non-constant-time equality implementation. Hmac::finalize returns a constant-time wrapper CtOutput which was discarded. Alternatively, Hmac has a constant-ti...
CVE-2025-59058
httpsig-rs is a Rust implementation of IETF RFC 9421 http message signatures. Prior to version 0.0.19, the HMAC signature comparison is not timing-safe. This makes anyone who uses HS256 signature verification vulnerable to a timing attack that allows the attacker to forge a signature. Version...
CVE-2025-59058 httpsig-rs's HMAC verification is vulnerable to timing attack
httpsig-rs is a Rust implementation of IETF RFC 9421 http message signatures. Prior to version 0.0.19, the HMAC signature comparison is not timing-safe. This makes anyone who uses HS256 signature verification vulnerable to a timing attack that allows the attacker to forge a signature. Version...
CVE-2025-59058 httpsig-rs's HMAC verification is vulnerable to timing attack
httpsig-rs is a Rust implementation of IETF RFC 9421 http message signatures. Prior to version 0.0.19, the HMAC signature comparison is not timing-safe. This makes anyone who uses HS256 signature verification vulnerable to a timing attack that allows the attacker to forge a signature. Version...
CVE-2025-59058 httpsig-rs's HMAC verification is vulnerable to timing attack
httpsig-rs is a Rust implementation of IETF RFC 9421 http message signatures. Prior to version 0.0.19, the HMAC signature comparison is not timing-safe. This makes anyone who uses HS256 signature verification vulnerable to a timing attack that allows the attacker to forge a signature. Version...
CVE-2025-59058
Affected software: httpsig-rs (Rust implementation of IETF RFC 9421 http message signatures). Vulnerability: Prior to version 0.0.19, HMAC signature comparison is not timing-safe, allowing a timing attack to forge signatures during HS256 verification. Impact (as stated): Attack could forge a sign...
PT-2025-37315
Name of the Vulnerable Software and Affected Versions: httpsig-rs versions prior to 0.0.19 Description: httpsig-rs is a Rust implementation of IETF RFC 9421 http message signatures. The HMAC signature comparison is not timing-safe in versions prior to 0.0.19, potentially allowing an attacker to...
CVE-2025-43786
Enumeration of ERC from object entry in Liferay Portal 7.4.0 through 7.4.3.128, and Liferay DXP 2024.Q3.0 through 2024.Q3.1, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, 2023.Q4.0 and 7.4 GA through update 92 allow attackers to determine existent ERC in the application by exploit t...
Linux Distros Unpatched Vulnerability : CVE-2025-48995
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - SignXML is an implementation of the W3C XML Signature standard in Python. When verifying signatures with X509 certificate validation turned off and HMAC shared...
Linux Distros Unpatched Vulnerability : CVE-2016-4583
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - WebKit in Apple iOS before 9.3.3, Safari before 9.1.2, and tvOS before 9.2.2 allows remote attackers to bypass the Same Origin Policy and obtain image date from...