GHSA-6pq8-67pw-j6hw
Suggest an improvement- Source
- https://github.com/advisories/GHSA-6pq8-67pw-j6hw
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-6pq8-67pw-j6hw/GHSA-6pq8-67pw-j6hw.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-6pq8-67pw-j6hw
- Published
- 2024-05-17T23:03:25Z
- Modified
- 2024-12-02T05:39:36.336585Z
- Severity
-
- 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
- Summary
- Time-Based Information Disclosure Vulnerability in Flow
- Details
-
The PersistedUsernamePasswordProvider was prone to a information disclosure of account existance based on timing attacks as the hashing of passwords was only done in case an account was found. We changed the core so that the provider always does a password comparison in case credentials were submitted at all.
- Database specific
{ "nvd_published_at": null, "cwe_ids": [], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2024-05-17T23:03:25Z" }- References
Affected packages
Packagist / neos/flow
Package
- Name
- neos/flow
- Purl
- pkg:composer/neos/flow
Packagist / neos/flow
Package
- Name
- neos/flow
- Purl
- pkg:composer/neos/flow
Packagist / neos/flow
Package
- Name
- neos/flow
- Purl
- pkg:composer/neos/flow
Packagist / neos/flow
Package
- Name
- neos/flow
- Purl
- pkg:composer/neos/flow
Packagist / neos/flow
Package
- Name
- neos/flow
- Purl
- pkg:composer/neos/flow