Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS02Nm00LWdjOGgtaHBqeM4AAyDt

Timing attack in eZ Platform Ibexa

Ibexa DXP is using random execution time to hinder timing attacks against user accounts, a method of discovering whether a given account exists in a system without knowing its password, thus affecting privacy. This implementation was found to not be good enough in some situations. The fix replaces this with constant time functionality, configured in the new security.yml parameter 'ibexa.security.authentication.constant_auth_time'. It will log a warning if the constant time is exceeded. If this happens the setting should be increased.

Permalink: https://github.com/advisories/GHSA-66m4-gc8h-hpjx
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS02Nm00LWdjOGgtaHBqeM4AAyDt
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: about 1 year ago
Updated: about 1 year ago


CVSS Score: 3.7
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Identifiers: GHSA-66m4-gc8h-hpjx, CVE-2022-48366
References: Repository: https://github.com/ezsystems/ezplatform-kernel

Affected Packages

packagist:ezsystems/ezpublish-kernel
Dependent packages: 229
Dependent repositories: 352
Downloads: 561,544 total
Affected Version Ranges: >= 7.5.0, < 7.5.29
Fixed in: 7.5.29
All affected versions: 7.5.0, 7.5.1, 7.5.2, 7.5.3, 7.5.4, 7.5.5, 7.5.6, 7.5.7, 7.5.8, 7.5.9, 7.5.10, 7.5.11, 7.5.12, 7.5.13, 7.5.14, 7.5.15, 7.5.16, 7.5.17, 7.5.18, 7.5.19, 7.5.20, 7.5.21, 7.5.22, 7.5.23, 7.5.24, 7.5.25, 7.5.26, 7.5.27, 7.5.28
All unaffected versions: 5.0.0, 5.2.0, 6.0.0, 6.0.1, 6.1.0, 6.1.1, 6.2.0, 6.2.1, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.4.0, 6.4.1, 6.4.2, 6.5.0, 6.5.1, 6.5.2, 6.6.0, 6.6.1, 6.6.2, 6.7.0, 6.7.1, 6.7.2, 6.7.3, 6.7.4, 6.7.5, 6.7.6, 6.7.7, 6.7.8, 6.7.9, 6.7.10, 6.8.0, 6.8.1, 6.9.0, 6.9.1, 6.10.0, 6.10.1, 6.11.0, 6.11.1, 6.11.2, 6.11.3, 6.11.4, 6.12.0, 6.12.1, 6.13.0, 6.13.1, 6.13.2, 6.13.3, 6.13.4, 6.13.5, 6.13.6, 6.13.8, 7.0.0, 7.0.1, 7.0.2, 7.1.0, 7.1.1, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.4.0, 7.4.1, 7.4.2, 7.4.3, 7.4.4, 7.5.29, 7.5.30, 7.5.31, 2013.4.0, 2013.5.0, 2013.6.0, 2013.7.0, 2013.7.1, 2013.7.2, 2013.7.3, 2013.9.0, 2013.9.1, 2013.9.2, 2013.11.0, 2013.11.1, 2014.1.0, 2014.1.1, 2014.1.2, 2014.1.3, 2014.1.4, 2014.1.5, 2014.3.1, 2014.3.2, 2014.3.3, 2014.3.4, 2014.5.0, 2014.5.1, 2014.5.2, 2014.7.0, 2014.7.1, 2014.7.2, 2014.7.3, 2014.11.0, 2014.11.1, 2014.11.2, 2014.11.3, 2014.11.4, 2014.11.5, 2014.11.6, 2014.11.7, 2014.11.8
packagist:ezsystems/ezplatform-kernel
Dependent packages: 112
Dependent repositories: 99
Downloads: 188,373 total
Affected Version Ranges: >= 1.3.0, < 1.3.19
Fixed in: 1.3.19
All affected versions: 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.3.5, 1.3.6, 1.3.7, 1.3.8, 1.3.9, 1.3.10, 1.3.11, 1.3.12, 1.3.13, 1.3.14, 1.3.15, 1.3.16, 1.3.17, 1.3.18
All unaffected versions: 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.2.5, 1.2.6, 1.2.7, 1.2.8, 1.3.19, 1.3.20, 1.3.21, 1.3.22, 1.3.23, 1.3.24, 1.3.25, 1.3.26, 1.3.27, 1.3.28, 1.3.29, 1.3.30, 1.3.31, 1.3.32, 1.3.33, 1.3.34