Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS02bTloLTJwcjItOWo4Zs4AA7Lw

1Panel's password verification is suspected to have a timing attack vulnerability

Summary

源码中密码校验处使用 != 符号，而不是hmac.Equal，这可能导致产生计时攻击漏洞，从而爆破密码。
建议使用 hmac.Equal 比对密码。

Translation:

The source code uses the != symbol instead of hmac.Equal for password verification, which may lead to timing attack vulnerabilities that can lead to password cracking. It is recommended to use hmac. Equal to compare passwords.

Details

https://github.com/1Panel-dev/1Panel/blob/dev/backend/app/service/auth.go#L81C5-L81C26

Impact

该产品的所有使用者。

Translation:

All users of this product.

Permalink: https://github.com/advisories/GHSA-6m9h-2pr2-9j8f
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS02bTloLTJwcjItOWo4Zs4AA7Lw
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: 9 months ago
Updated: 6 months ago

CVSS Score: 3.9
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L

EPSS Percentage: 0.00043
EPSS Percentile: 0.10511

Identifiers: GHSA-6m9h-2pr2-9j8f, CVE-2024-30257
References:

Repository: https://github.com/1Panel-dev/1Panel
Blast Radius: 1.0

Affected Packages

go:github.com/1Panel-dev/1Panel

Dependent packages: 1
Dependent repositories: 0
Downloads:
Affected Version Ranges: < 1.10.3
Fixed in: 1.10.3
All affected versions: 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.3.5, 1.3.6, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.5.5, 1.6.0, 1.6.1, 1.6.2, 1.7.0, 1.7.1, 1.7.2, 1.7.3, 1.7.4, 1.8.0, 1.8.1, 1.8.2, 1.8.3, 1.8.4, 1.8.5, 1.9.0, 1.9.1, 1.9.2, 1.9.3, 1.9.4, 1.9.5, 1.9.6
All unaffected versions: