Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS0yeDR2LWc4Y3gtanhycc4AArUC
Login timing attack in ibexa/core
Ibexa DXP is using random execution time to hinder timing attacks against user accounts, a method of discovering whether a given account exists in a system without knowing its password, thus affecting privacy. This implementation was found to not be good enough in some situations. The fix replaces this with constant time functionality, configured in the new security.yml parameter 'ibexa.security.authentication.constant_auth_time'. It will log a warning if the constant time is exceeded. If this happens the setting should be increased.
Permalink: https://github.com/advisories/GHSA-2x4v-g8cx-jxrqJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0yeDR2LWc4Y3gtanhycc4AArUC
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: almost 2 years ago
Updated: over 1 year ago
Identifiers: GHSA-2x4v-g8cx-jxrq
References:
- https://github.com/ibexa/core/security/advisories/GHSA-2x4v-g8cx-jxrq
- https://developers.ibexa.co/security-advisories/ibexa-sa-2022-006-vulnerabilities-in-page-builder-login-and-commerce
- https://github.com/advisories/GHSA-2x4v-g8cx-jxrq
Blast Radius: 0.0
Affected Packages
packagist:ibexa/core
Dependent packages: 52Dependent repositories: 44
Downloads: 455,562 total
Affected Version Ranges: >= 4.1.0, < 4.1.4, >= 4.0.0, < 4.0.7
Fixed in: 4.1.4, 4.0.7
All affected versions: 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.0.6, 4.1.0, 4.1.1, 4.1.2, 4.1.3
All unaffected versions: 4.0.7, 4.0.8, 4.1.4, 4.1.5, 4.2.0, 4.2.1, 4.2.2, 4.2.3, 4.2.4, 4.3.0, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.4.0, 4.4.1, 4.4.2, 4.4.3, 4.4.4, 4.5.0, 4.5.1, 4.5.2, 4.5.3, 4.5.4, 4.5.5, 4.5.6, 4.5.7, 4.6.0, 4.6.1, 4.6.2, 4.6.3