GHSA-xfqg-p48g-hh94
Suggest an improvement- Source
- https://github.com/advisories/GHSA-xfqg-p48g-hh94
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/06/GHSA-xfqg-p48g-hh94/GHSA-xfqg-p48g-hh94.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-xfqg-p48g-hh94
- Published
- 2022-06-02T21:02:00Z
- Modified
- 2024-11-28T05:37:08.207321Z
- Summary
- Login timing attack in ezsystems/ezpublish-kernel
- Details
-
Ibexa DXP is using random execution time to hinder timing attacks against user accounts, a method of discovering whether a given account exists in a system without knowing its password, thus affecting privacy. This implementation was found to not be good enough in some situations. The fix replaces this with constant time functionality, configured in the new security.yml parameter 'ibexa.security.authentication.constantauthtime'. It will log a warning if the constant time is exceeded. If this happens the setting should be increased.
- Database specific
{ "nvd_published_at": null, "cwe_ids": [ "CWE-208" ], "severity": "CRITICAL", "github_reviewed": true, "github_reviewed_at": "2022-06-02T21:02:00Z" }- References
-
- https://github.com/ezsystems/ezpublish-kernel/security/advisories/GHSA-xfqg-p48g-hh94
- https://github.com/ezsystems/ezpublish-kernel/commit/913fe17281536a91437d94e8267181ae8b57f5d5
- https://developers.ibexa.co/security-advisories/ibexa-sa-2022-006-vulnerabilities-in-page-builder-login-and-commerce
- https://github.com/ezsystems/ezpublish-kernel
- https://issues.ibexa.co/browse/IBX-1755
Affected packages
Packagist / ezsystems/ezpublish-kernel
Package
- Name
- ezsystems/ezpublish-kernel
- Purl
- pkg:composer/ezsystems/ezpublish-kernel
Affected versions
v7.*
v7.5.0
v7.5.1
v7.5.2
v7.5.3
v7.5.4
v7.5.5
v7.5.6-rc1
v7.5.6
v7.5.6.2
v7.5.7-rc1
v7.5.7
v7.5.7.1
v7.5.8
v7.5.9
v7.5.9.1
v7.5.10
v7.5.11
v7.5.12
v7.5.13
v7.5.14
v7.5.15
v7.5.15.1
v7.5.15.2
v7.5.16
v7.5.17
v7.5.18
v7.5.19
v7.5.20
v7.5.21
v7.5.22
v7.5.23
v7.5.24
v7.5.25
v7.5.26
v7.5.27
v7.5.28