CVE-2024-30257 1Panel's password verification is suspected to have a timing attack vulnerability

2024-04-1814:56:56

CWE-203

GitHub_M

github.com

panel

password verification

timing attack

vulnerability

fixed

version 1.10.3-lts

CVSS3

3.9

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L

AI Score

6.9

Confidence

Low

SSVC

Exploitation

none

Automatable

Technical Impact

partial

JSON

1Panel is an open source Linux server operation and maintenance management panel. The password verification in the source code uses the != symbol instead hmac.Equal. This may lead to a timing attack vulnerability. This vulnerability is fixed in 1.10.3-lts.

ADP Affected

[
  {
    "cpes": [
      "cpe:2.3:a:fit2cloud:1panel:1.10.2:*:*:*:*:*:*:*"
    ],
    "vendor": "fit2cloud",
    "product": "1panel",
    "versions": [
      {
        "status": "affected",
        "version": "1.10.2"
      }
    ],
    "defaultStatus": "unknown"
  }
]