GO-2022-0534

Source
https://pkg.go.dev/vuln/GO-2022-0534
Import Source
https://vuln.go.dev/ID/GO-2022-0534.json
Aliases
Published
2022-08-11T20:54:51Z
Modified
2023-11-08T04:08:40.155883Z
Details

Validation of Gitlab requests can leak secrets.

The package github.com/runatlantis/atlantis/server/controllers/events uses a non-constant time comparison for secrets while validating a Gitlab request. This allows for a timing attack where an attacker can recover a secret and then forge the request.

References

Affected packages

Go / github.com/runatlantis/atlantis

Affected ranges

Type
SEMVER
Events
Introduced
0The exact introduced commit is unknown
Fixed
0.19.7

Ecosystem specific

{
    "imports": [
        {
            "path": "github.com/runatlantis/atlantis/server/controllers/events",
            "symbols": [
                "DefaultGitlabRequestParserValidator.ParseAndValidate"
            ]
        }
    ]
}