GHSA-w277-wpqf-rcfv

Опубликовано: 06 фев. 2024

Источник: github

Github: Прошло ревью

Описание

Duplicate Advisory: Svix vulnerable to improper comparison of different-length signatures

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-747x-5m58-mq97. This link is maintained to preserve external references.

Original Description

The Webhook::verify function incorrectly compared signatures of different lengths - the two signatures would only be compared up to the length of the shorter signature. This allowed an attacker to pass in v1, as the signature, which would always pass verification.

Ссылки

https://github.com/svix/svix-webhooks/pull/1190
https://github.com/svix/svix-webhooks/commit/958821bd3b956d1436af65f70a0964d4ffb7daf6
https://rustsec.org/advisories/RUSTSEC-2024-0010.html

Пакеты

Наименование

svix

rust

Затронутые версииВерсия исправления

< 1.17.0

1.17.0