CVE-2024-7010

mudler/localai version 2.17.1 is vulnerable to a Timing Attack. This type of side-channel attack allows an attacker to compromise the cryptosystem by analyzing the time taken to execute cryptographic algorithms. Specifically, in the context of password handling, an attacker can determine valid...

CVE-2024-5124

A timing attack vulnerability exists in the gaizhenbiao/chuanhuchatgpt repository, specifically within the password comparison logic. The vulnerability is present in version 20240310 of the software, where passwords are compared using the '=' operator in Python. This method of comparison allows a...

CVE-2024-0436

Theoretically, it would be possible for an attacker to brute-force the password for an instance in single-user password protection mode via a timing attack given the linear nature of the !== used for comparison. The risk is minified by the additional overhead of the request, which varies in a...

Security update for iperf

This update for iperf fixes the following issues: update to 3.17.1 bsc1224262, CVE-2024-26306: BREAKING CHANGE: iperf3's authentication features, when used with OpenSSL prior to 3.2.0, contain a vulnerability to a side-channel timing attack. To address this flaw, a change has been made to the...

CVE-2024-23953 Apache Hive: Timing Attack Against Signature in LLAP util

Use of Arrays.equals in LlapSignerImpl in Apache Hive to compare message signatures allows attacker to forge a valid signature for an arbitrary message byte by byte. The attacker should be an authorized user of the product to perform this attack. Users are recommended to upgrade to version 4.0.0,...

CVE-2024-23953 Apache Hive: Timing Attack Against Signature in LLAP util

Use of Arrays.equals in LlapSignerImpl in Apache Hive to compare message signatures allows attacker to forge a valid signature for an arbitrary message byte by byte. The attacker should be an authorized user of the product to perform this attack. Users are recommended to upgrade to version 4.0.0,...

Information Exposure

Overview Affected versions of this package are vulnerable to Information Exposure which allows an attacker to determine the existence of user accounts by analyzing the response times and codes. Remediation Upgrade Umbraco.Cms.Api.Management to version 14.3.2, 15.1.2 or higher. References - GitHub...

Timing Attack

tecnickcom/tcpdf is vulnerable to a Timing Attack. The vulnerability is due to the use of loose comparison != in the unserializeTCPDFtag function, which lacks a constant-time comparison, allowing an attacker to infer hash values through timing discrepancies...

USN-7180-1: Python vulnerabilities

It was discovered that Python incorrectly handled certain scripts. An attacker could possibly use this issue to execute arbitrary code or cause a crash. CVE-2022-48560 It was discovered that Python did not properly handle XML entity declarations in plist files. An attacker could possibly use this...

Ubuntu 20.04 LTS / 22.04 LTS : Python vulnerabilities (USN-7180-1)

The remote Ubuntu 20.04 LTS / 22.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-7180-1 advisory. It was discovered that Python incorrectly handled certain scripts. An attacker could possibly use this issue to execute arbitrary code or cau...

Timing Attack

Overview django-allauth is an integrated set of Django applications addressing authentication, registration, account management as well as 3rd party social account authentication. Affected versions of this package are vulnerable to Timing Attack in the AuthenticationBackend.authenticatebyemail...

PT-2025-36296

Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description The Linux kernel contains an issue where MAC comparisons were not performed in constant time, potentially allowing timing attacks. The fix involves using an appropriate helper function t...

Devolutions.XTS.NET Vulnerable to Timing Attack on GF Multiplications

Impact Timing attacks on Galois Field multiplications in this package. Successful exploitation would effectively allow a downgrade of the security guarantees of the XTS mode to the security guarantees of ECB mode, allowing block swapping, enabling identification of identical blocks, and rendering...

GHSA-J6VM-4R7G-X4GR Devolutions.XTS.NET Vulnerable to Timing Attack on GF Multiplications

Impact Timing attacks on Galois Field multiplications in this package. Successful exploitation would effectively allow a downgrade of the security guarantees of the XTS mode to the security guarantees of ECB mode, allowing block swapping, enabling identification of identical blocks, and rendering...

Devolutions XTS.NET 安全漏洞

Devolutions XTS.NET is a pure C implementation of the XTS encryption model from Devolutions Canada, primarily used for disk encryption. A security vulnerability exists in Devolutions XTS.NET version 2024.11.19 and earlier versions that stems from the use of non-constant time encryption operations...

PT-2024-17301 · Devolutions · Devolutions.Xts.Net

Name of the Vulnerable Software and Affected Versions: Devolutions.XTS.NET versions 2024.11.19 and earlier Description: The issue concerns a non-constant time cryptographic operation, which can be exploited via timing attacks. This allows an attacker to render half of the encryption key obsolete...

Astra Linux – Vulnerability in OpenSSH

OpenSSH versions 9.5 through 9.7 before 9.8 sometimes allow timing attacks against password entry processes such as echo-off password input e.g., for su and Sudo, due to a logical error in the ObscureKeystrokeTiming mechanism. Similarly, other timing attacks against keystroke input operations may...

Timing Attack

Overview authentik-client is an authentik Affected versions of this package are vulnerable to Timing Attack due to the usage of a non-constant time comparison for the /-/metrics/ endpoint. An attacker can brute-force the SECRETKEY, which is used to authenticate the endpoint, by observing the time...

CVE-2024-52307 authentik allows a timing attack due to missing constant time comparison for metrics view

authentik is an open-source identity provider. Due to the usage of a non-constant time comparison for the /-/metrics/ endpoint it was possible to brute-force the SECRETKEY, which is used to authenticate the endpoint. The /-/metrics/ endpoint returns Prometheus metrics and is not intended to be...

CVE-2024-52307 authentik allows a timing attack due to missing constant time comparison for metrics view

authentik is an open-source identity provider. Due to the usage of a non-constant time comparison for the /-/metrics/ endpoint it was possible to brute-force the SECRETKEY, which is used to authenticate the endpoint. The /-/metrics/ endpoint returns Prometheus metrics and is not intended to be...