GHSA-2x4v-g8cx-jxrq

Source

https://github.com/advisories/GHSA-2x4v-g8cx-jxrq

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/06/GHSA-2x4v-g8cx-jxrq/GHSA-2x4v-g8cx-jxrq.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-2x4v-g8cx-jxrq

Published

2022-06-02T21:02:24Z

Modified

2024-12-07T05:40:36.686265Z

Summary

Details

Ibexa DXP is using random execution time to hinder timing attacks against user accounts, a method of discovering whether a given account exists in a system without knowing its password, thus affecting privacy. This implementation was found to not be good enough in some situations. The fix replaces this with constant time functionality, configured in the new security.yml parameter 'ibexa.security.authentication.constantauthtime'. It will log a warning if the constant time is exceeded. If this happens the setting should be increased.

Database specific

{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-208"
    ],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2022-06-02T21:02:24Z"
}

References

Affected packages

Packagist / ibexa/core

Package

Name: ibexa/core
Purl: pkg:composer/ibexa/core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.0.0

Fixed

4.0.7

Affected versions

v4.*

v4.0.0

v4.0.1

v4.0.2

v4.0.3

v4.0.4

v4.0.5

v4.0.6

Packagist / ibexa/core

Package

Name: ibexa/core
Purl: pkg:composer/ibexa/core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.1.0

Fixed

4.1.4

Affected versions

v4.*

v4.1.0

v4.1.1

v4.1.2

v4.1.3