Headline

CVE-2017-9735: Remove a timing channel in Password matching · Issue #1556 · eclipse/jetty.project

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

7 years ago

CVE

Open in Source

#apache #git #java

Comments

@fredfeng

sbordet added a commit that referenced this issue

May 16, 2017

@sbordet

Fixed comparison logic, doh.

sbordet added a commit that referenced this issue

May 18, 2017

@sbordet

Improved logic to avoid timing attacks: now the password length cannot be inferred.

asfgit pushed a commit to apache/spark that referenced this issue

Jul 13, 2017

@kiszk @srowen

gregw added a commit that referenced this issue

Aug 18, 2017

@gregw

gregw added a commit that referenced this issue

Aug 19, 2017

@gregw

@joakime joakime changed the title A timing channel in Password.java Remove a timing channel in Password matching

Sep 13, 2017

syobochim added a commit to syobochim/enkan that referenced this issue

Nov 10, 2017

@syobochim

pethers added a commit to Hack23/cia that referenced this issue

Jan 20, 2018

@pethers

pethers added a commit to Hack23/cia that referenced this issue

Mar 9, 2018

@pethers

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda

11 months ago

11 months ago

11 months ago

11 months ago

11 months ago