Security
Headlines

Headlines Latest CVEs

Headline

GHSA-66m4-gc8h-hpjx: Timing attack in eZ Platform Ibexa

Ibexa DXP is using random execution time to hinder timing attacks against user accounts, a method of discovering whether a given account exists in a system without knowing its password, thus affecting privacy. This implementation was found to not be good enough in some situations. The fix replaces this with constant time functionality, configured in the new security.yml parameter 'ibexa.security.authentication.constant_auth_time’. It will log a warning if the constant time is exceeded. If this happens the setting should be increased.

2 years ago

#vulnerability #git #auth

GitHub Advisory Database
GitHub Reviewed
CVE-2022-48366

Timing attack in eZ Platform Ibexa

Moderate severity GitHub Reviewed Published Mar 12, 2023 to the GitHub Advisory Database • Updated Mar 13, 2023

Package

composer ezsystems/ezplatform-kernel (Composer)

Affected versions

>= 1.3.0, < 1.3.19

composer ezsystems/ezpublish-kernel (Composer)

Description

Published by the National Vulnerability Database

Mar 12, 2023

Published to the GitHub Advisory Database

Mar 12, 2023

Last updated

Mar 13, 2023

Related news

CVE-2022-48366: Vulnerabilities in Page Builder, login, and Commerce

An issue was discovered in eZ Platform Ibexa Kernel before 1.3.19. It allows determining account existence via a timing attack.

2 years ago

#vulnerability #perl #auth #ssl

ghsa: Latest News

GHSA-3m86-c9x3-vwm9: Graylog vulnerable to privilege escalation through API tokens

23 hours ago

GHSA-3q26-f695-pp76: @cyanheads/git-mcp-server vulnerable to command injection in several tools

1 day ago

GHSA-6r2x-8pq8-9489: Electron vulnerable to Heap Buffer Overflow in NativeImage

1 day ago

GHSA-v8fr-vxmw-6mf6: Mattermost Incorrect Authorization vulnerability

1 day ago

GHSA-wgvp-jj4w-88hf: Mattermost Incorrect Authorization vulnerability

1 day ago