GO-2022-0534

Source
https://storage.googleapis.com/go-vulndb/ID/GO-2022-0534.json
Aliases
Published
2022-08-11T20:54:51Z
Modified
2022-09-20T15:16:04Z
Details

Validation of Gitlab requests can leak secrets.

The package github.com/runatlantis/atlantis/server/controllers/events uses a non-constant time comparison for secrets while validating a Gitlab request. This allows for a timing attack where an attacker can recover a secret and then forge the request.

References

Affected packages

Go / github.com/runatlantis/atlantis

github.com/runatlantis/atlantis

Affected ranges

Type
SEMVER
Events
Introduced
0
Fixed
0.19.7

Affected versions

Ecosystem specific

{
    "imports": [
        {
            "path": "github.com/runatlantis/atlantis/server/controllers/events",
            "symbols": [
                "DefaultGitlabRequestParserValidator.ParseAndValidate"
            ]
        }
    ]
}

Database specific

{
    "url": "https://pkg.go.dev/vuln/GO-2022-0534"
}