CVE-2024-21491

Опубликовано: 13 фев. 2024

Источник: nvd

CVSS3: 5.9

CVSS3: 6.5

EPSS Низкий

Описание

Versions of the package svix before 1.17.0 are vulnerable to Authentication Bypass due to an issue in the verify function where signatures of different lengths are incorrectly compared. An attacker can bypass signature verification by providing a shorter signature that matches the beginning of the actual signature.

Note:

The attacker would need to know a victim uses the Rust library for verification,no easy way to automatically check that; and uses webhooks by a service that uses Svix, and then figure out a way to craft a malicious payload that will actually include all of the correct identifiers needed to trick the receivers to cause actual issues.

Ссылки

https://github.com/svix/svix-webhooks/commit/958821bd3b956d1436af65f70a0964d4ffb7daf6
Patch
https://github.com/svix/svix-webhooks/pull/1190
Patch
https://rustsec.org/advisories/RUSTSEC-2024-0010.html
Third Party Advisory
https://security.snyk.io/vuln/SNYK-RUST-SVIX-6230729
Third Party Advisory
https://github.com/svix/svix-webhooks/commit/958821bd3b956d1436af65f70a0964d4ffb7daf6
Patch
https://github.com/svix/svix-webhooks/pull/1190
Patch
https://rustsec.org/advisories/RUSTSEC-2024-0010.html
Third Party Advisory
https://security.snyk.io/vuln/SNYK-RUST-SVIX-6230729
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:svix:svix-webhooks:*:*:*:*:*:*:*:*

Версия до 1.17.0 (исключая)

EPSS

Процентиль: 6%

0.00025

Низкий

5.9 Medium

CVSS3

6.5 Medium

CVSS3

Дефекты

CWE-288

CWE-347

CWE-288

Связанные уязвимости

GHSA-747x-5m58-mq97

CVSS3: 6.8

github

почти 2 года назад

svix vulnerable to Authentication Bypass

EPSS

Процентиль: 6%

0.00025

Низкий

5.9 Medium

CVSS3

6.5 Medium

CVSS3

Дефекты

CWE-288

CWE-347

CWE-288