CVE-2022-24912
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2022-24912
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-24912.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2022-24912
- Aliases
- Related
- Published
- 2022-07-29T10:15:12Z
- Modified
- 2025-01-15T02:18:13.162508Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- [none]
- Details
-
The package github.com/runatlantis/atlantis/server/controllers/events before 0.19.7 are vulnerable to Timing Attack in the webhook event validator code, which does not use a constant-time comparison function to validate the webhook secret. It can allow an attacker to recover this secret as an attacker and then forge webhook events.
- References
Affected packages
Git / github.com/runatlantis/atlantis
Affected ranges
- Type
- GIT
- Repo
- https://github.com/runatlantis/atlantis
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixedFixed
Affected versions
v0.*
v0.1.0
v0.1.1
v0.1.2
v0.1.3
v0.10.0
v0.10.1
v0.10.2
v0.11.0
v0.11.1
v0.12.0
v0.13.0
v0.14.0
v0.15.0
v0.15.1
v0.16.0
v0.16.1
v0.17.0
v0.17.0-beta
v0.17.1
v0.17.2
v0.17.3
v0.17.4
v0.17.5
v0.17.6
v0.18.0
v0.18.1
v0.18.2
v0.18.3
v0.18.4
v0.18.5
v0.19.0
v0.19.1
v0.19.2
v0.19.2-pre.20220408
v0.19.3
v0.19.3-pre.20220408
v0.19.3-pre.20220429
v0.19.4
v0.19.4-pre.20220513
v0.19.5
v0.19.5-pre.20220616
v0.19.5-pre.20220622
v0.19.5-pre.20220628
v0.19.6
v0.19.7-pre.20220713
v0.2.0
v0.2.1
v0.2.2
v0.2.3
v0.2.4
v0.3.0
v0.3.1
v0.3.10
v0.3.2
v0.3.3
v0.3.4
v0.3.5
v0.3.6
v0.3.7
v0.3.8
v0.3.9
v0.4.0
v0.4.1
v0.4.10
v0.4.11
v0.4.12
v0.4.13
v0.4.14
v0.4.15
v0.4.2
v0.4.3
v0.4.4
v0.4.5
v0.4.6
v0.4.7
v0.4.8
v0.4.9
v0.5.0
v0.5.1
v0.6.0
v0.7.0
v0.7.1
v0.7.2
v0.8.0
v0.8.1
v0.8.2
v0.8.3
v0.9.0