CVE-2022-24912

Source

https://nvd.nist.gov/vuln/detail/CVE-2022-24912

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-24912.json

Aliases

Published

2022-07-29T10:15:12Z

Modified

2023-11-29T09:29:39.216170Z

Details

The package github.com/runatlantis/atlantis/server/controllers/events before 0.19.7 are vulnerable to Timing Attack in the webhook event validator code, which does not use a constant-time comparison function to validate the webhook secret. It can allow an attacker to recover this secret as an attacker and then forge webhook events.

References

Affected packages

Git / github.com/runatlantis/atlantis

Affected ranges

Type: GIT
Repo: https://github.com/runatlantis/atlantis
Events: Introduced

0The exact introduced commit is unknown

Fixed

48870911974adddaa4c99c8089e79b7d787fa820

Affected versions

v0.*

v0.1.0

v0.1.1

v0.1.2

v0.1.3

v0.10.0

v0.10.1

v0.10.2

v0.11.0

v0.11.1

v0.12.0

v0.13.0

v0.14.0

v0.15.0

v0.15.1

v0.16.0

v0.16.1

v0.17.0

v0.17.0-beta

v0.17.1

v0.17.2

v0.17.3

v0.17.4

v0.17.5

v0.17.6

v0.18.0

v0.18.1

v0.18.2

v0.18.3

v0.18.4

v0.18.5

v0.19.0

v0.19.1

v0.19.2

v0.19.2-pre.20220408

v0.19.3

v0.19.3-pre.20220408

v0.19.3-pre.20220429

v0.19.4

v0.19.4-pre.20220513

v0.19.5

v0.19.5-pre.20220616

v0.19.5-pre.20220622

v0.19.5-pre.20220628

v0.19.6

v0.19.7-pre.20220713

v0.2.0

v0.2.1

v0.2.2

v0.2.3

v0.2.4

v0.3.0

v0.3.1

v0.3.10

v0.3.2

v0.3.3

v0.3.4

v0.3.5

v0.3.6

v0.3.7

v0.3.8

v0.3.9

v0.4.0

v0.4.1

v0.4.10

v0.4.11

v0.4.12

v0.4.13

v0.4.14

v0.4.15

v0.4.2

v0.4.3

v0.4.4

v0.4.5

v0.4.6

v0.4.7

v0.4.8

v0.4.9

v0.5.0

v0.5.1

v0.6.0

v0.7.0

v0.7.1

v0.7.2

v0.8.0

v0.8.1

v0.8.2

v0.8.3

v0.9.0