GHSA-66m4-gc8h-hpjx

Suggest an improvement
Source
https://github.com/advisories/GHSA-66m4-gc8h-hpjx
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/03/GHSA-66m4-gc8h-hpjx/GHSA-66m4-gc8h-hpjx.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-66m4-gc8h-hpjx
Aliases
Published
2023-03-12T06:30:21Z
Modified
2023-11-08T04:11:03.185983Z
Severity
  • 3.7 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
Timing attack in eZ Platform Ibexa
Details

Ibexa DXP is using random execution time to hinder timing attacks against user accounts, a method of discovering whether a given account exists in a system without knowing its password, thus affecting privacy. This implementation was found to not be good enough in some situations. The fix replaces this with constant time functionality, configured in the new security.yml parameter 'ibexa.security.authentication.constantauthtime'. It will log a warning if the constant time is exceeded. If this happens the setting should be increased.

References

Affected packages

Packagist / ezsystems/ezplatform-kernel

Package

Name
ezsystems/ezplatform-kernel
Purl
pkg:composer/ezsystems/ezplatform-kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.3.0
Fixed
1.3.19

Affected versions

v1.*

v1.3.0
v1.3.1
v1.3.1.1
v1.3.2
v1.3.3
v1.3.4
v1.3.5
v1.3.6
v1.3.7
v1.3.8
v1.3.9
v1.3.10
v1.3.11
v1.3.12
v1.3.13
v1.3.14
v1.3.15
v1.3.16
v1.3.17
v1.3.18

Packagist / ezsystems/ezpublish-kernel

Package

Name
ezsystems/ezpublish-kernel
Purl
pkg:composer/ezsystems/ezpublish-kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
7.5.0
Fixed
7.5.29

Affected versions

v7.*

v7.5.0
v7.5.1
v7.5.2
v7.5.3
v7.5.4
v7.5.5
v7.5.6-rc1
v7.5.6
v7.5.6.2
v7.5.7-rc1
v7.5.7
v7.5.7.1
v7.5.8
v7.5.9
v7.5.9.1
v7.5.10
v7.5.11
v7.5.12
v7.5.13
v7.5.14
v7.5.15
v7.5.15.1
v7.5.15.2
v7.5.16
v7.5.17
v7.5.18
v7.5.19
v7.5.20
v7.5.21
v7.5.22
v7.5.23
v7.5.24
v7.5.25
v7.5.26
v7.5.27
v7.5.28