Lucene search

Veracode Vulnerability DatabaseVERACODE:46549

HistoryApr 21, 2024 - 5:43 p.m.

Observable Timing Discrepancy

2024-04-2117:43:25

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

timing discrepancy

password verification

vulnerability

cryptographically sensitive

hmac.equal

software

3.9 Low

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L

7.1 High

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

9.1%

JSON

1Panel is vulnerable to Observable Timing Discrepancy. The vulnerability is due to the use of != for comparisons of cryptographically sensitive password verification operations, rather than hmac.Equal. This can lead to timing attack vulnerability.

CPENameOperatorVersion
github.com/1panel-dev/1panellev1.10.2-lts
github.com/1panel-dev/1panellev1.10.2-lts

CPE	Name	Operator	Version
	github.com/1panel-dev/1panel	le	v1.10.2-lts
	github.com/1panel-dev/1panel	le	v1.10.2-lts

References

github.com/1Panel-dev/1Panel/blob/dev/backend/app/service/auth.go#L81C5-L81C26

github.com/1Panel-dev/1Panel/commit/0a7f1eb2864cc2d2f71f0184f1a4543bbe34c0f8

github.com/1Panel-dev/1Panel/pull/4373

github.com/1Panel-dev/1Panel/security/advisories/GHSA-6m9h-2pr2-9j8f

3.9 Low

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L

7.1 High

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

9.1%

JSON

Related for VERACODE:46549