CVE-2022-24912

Опубликовано: 29 июл. 2022

Источник: nvd

CVSS3: 7.5

EPSS Низкий

Описание

The package github.com/runatlantis/atlantis/server/controllers/events before 0.19.7 are vulnerable to Timing Attack in the webhook event validator code, which does not use a constant-time comparison function to validate the webhook secret. It can allow an attacker to recover this secret as an attacker and then forge webhook events.

Ссылки

https://github.com/runatlantis/atlantis/commit/48870911974adddaa4c99c8089e79b7d787fa820
Patch
Third Party Advisory
https://github.com/runatlantis/atlantis/issues/2391
Exploit
Issue Tracking
Third Party Advisory
https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMRUNATLANTISATLANTISSERVERCONTROLLERSEVENTS-2950851
Exploit
Issue Tracking
Patch
Third Party Advisory
https://github.com/runatlantis/atlantis/commit/48870911974adddaa4c99c8089e79b7d787fa820
Patch
Third Party Advisory
https://github.com/runatlantis/atlantis/issues/2391
Exploit
Issue Tracking
Third Party Advisory
https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMRUNATLANTISATLANTISSERVERCONTROLLERSEVENTS-2950851
Exploit
Issue Tracking
Patch
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:runatlantis:atlantis:*:*:*:*:*:*:*:*

Версия до 0.19.7 (исключая)

EPSS

Процентиль: 45%

0.00221

Низкий

7.5 High

CVSS3

Дефекты

CWE-203

Связанные уязвимости

GHSA-jxqv-jcvh-7gr4