CVE-2023-32691

Опубликовано: 30 мая 2023

Источник: nvd

CVSS3: 5.9

EPSS Низкий

Описание

gost (GO Simple Tunnel) is a simple tunnel written in golang. Sensitive secrets such as passwords, token and API keys should be compared only using a constant-time comparison function. Untrusted input, sourced from a HTTP header, is compared directly with a secret. Since this comparison is not secure, an attacker can mount a side-channel timing attack to guess the password. As a workaround, this can be easily fixed using a constant time comparing function such as crypto/subtle's ConstantTimeCompare.

Ссылки

https://github.com/ginuerzh/gost/blob/1c62376e0880e4094bd3731e06bd4f7842638f6a/auth.go#L46
Product
https://github.com/ginuerzh/gost/security/advisories/GHSA-qjrq-hm79-49ww
Exploit
Vendor Advisory
https://github.com/ginuerzh/gost/blob/1c62376e0880e4094bd3731e06bd4f7842638f6a/auth.go#L46
Product
https://github.com/ginuerzh/gost/security/advisories/GHSA-qjrq-hm79-49ww
Exploit
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:go_simple_tunnel_project:go_simple_tunnel:*:*:*:*:*:go:*:*

Версия до 2.11.5 (включая)

EPSS

Процентиль: 44%

0.00215

Низкий

5.9 Medium

CVSS3

5.9 Medium

CVSS3

Дефекты

CWE-203

Связанные уязвимости

GHSA-qjrq-hm79-49ww

CVSS3: 5.9

github

больше 2 лет назад

ginuerzh/gost vulnerable to Timing Attack

EPSS

Процентиль: 44%

0.00215

Низкий

5.9 Medium

CVSS3

5.9 Medium

CVSS3

Дефекты

CWE-203