GHSA-6m9h-2pr2-9j8f
Suggest an improvement- Source
- https://github.com/advisories/GHSA-6m9h-2pr2-9j8f
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-6m9h-2pr2-9j8f/GHSA-6m9h-2pr2-9j8f.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-6m9h-2pr2-9j8f
- Aliases
- Related
- Published
- 2024-04-18T16:44:16Z
- Modified
- 2025-02-11T19:02:38Z
- Severity
-
- 5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- 2.0 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- 1Panel's password verification is suspected to have a timing attack vulnerability
- Details
-
Summary
源码中密码校验处使用 != 符号,而不是
hmac.Equal,这可能导致产生计时攻击漏洞,从而爆破密码。
建议使用hmac.Equal比对密码。Translation:
The source code uses the != symbol instead of hmac.Equal for password verification, which may lead to timing attack vulnerabilities that can lead to password cracking. It is recommended to use hmac. Equal to compare passwords.
Details
https://github.com/1Panel-dev/1Panel/blob/dev/backend/app/service/auth.go#L81C5-L81C26
Impact
该产品的所有使用者。
Translation:
All users of this product.
- Database specific
{ "nvd_published_at": "2024-04-18T15:15:30Z", "cwe_ids": [ "CWE-203" ], "severity": "LOW", "github_reviewed": true, "github_reviewed_at": "2024-04-18T16:44:16Z" }- References
Affected packages
Go / github.com/1Panel-dev/1Panel
Package
- Name
- github.com/1Panel-dev/1Panel
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/1Panel-dev/1Panel