GHSA-6m9h-2pr2-9j8f

Source
https://github.com/advisories/GHSA-6m9h-2pr2-9j8f
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-6m9h-2pr2-9j8f/GHSA-6m9h-2pr2-9j8f.json
Aliases
  • CVE-2024-30257
Published
2024-04-18T16:44:16Z
Modified
2024-04-18T17:27:01.413341Z
Details

Summary

源码中密码校验处使用 != 符号,而不是hmac.Equal,这可能导致产生计时攻击漏洞,从而爆破密码。
建议使用 hmac.Equal 比对密码。

Details

https://github.com/1Panel-dev/1Panel/blob/dev/backend/app/service/auth.go#L81C5-L81C26

PoC

Impact

该产品的所有使用者。

References

Affected packages

Go / github.com/1Panel-dev/1Panel

Package

Name
github.com/1Panel-dev/1Panel

Affected ranges

Type
SEMVER
Events
Introduced
0The exact introduced commit is unknown
Fixed
1.10.3