Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS13Mjc3LXdwcWYtcmNmds4AA5H1
Svix vulnerable to improper comparison of different-length signatures
The Webhook::verify function incorrectly compared signatures of different lengths - the two signatures would only be compared up to the length of the shorter signature. This allowed an attacker to pass in v1, as the signature, which would always pass verification.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS13Mjc3LXdwcWYtcmNmds4AA5H1
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 3 months ago
Updated: 3 months ago
Identifiers: GHSA-w277-wpqf-rcfv
References:
- https://github.com/svix/svix-webhooks/pull/1190
- https://github.com/svix/svix-webhooks/commit/958821bd3b956d1436af65f70a0964d4ffb7daf6
- https://rustsec.org/advisories/RUSTSEC-2024-0010.html
- https://github.com/advisories/GHSA-w277-wpqf-rcfv
Blast Radius: 0.0
Affected Packages
cargo:svix
Dependent packages: 0Dependent repositories: 1
Downloads: 123,118 total
Affected Version Ranges: < 1.17.0
Fixed in: 1.17.0
All affected versions: 0.1.0, 0.2.0, 0.3.0, 0.58.0, 0.58.1, 0.58.2, 0.59.0, 0.59.1, 0.60.0, 0.61.0, 0.62.0, 0.62.1, 0.63.0, 0.63.1, 0.64.0, 0.64.1, 0.64.2, 0.65.0, 0.65.1, 0.66.0, 0.67.0, 0.68.0, 0.68.1, 0.69.0, 0.70.0, 0.71.0, 0.72.0, 0.73.0, 0.74.0, 0.74.1, 0.75.0, 0.76.0, 0.76.1, 0.77.0, 0.78.0, 0.79.0, 0.80.0, 0.81.0, 0.82.0, 0.82.1, 0.83.0, 0.83.1, 0.84.0, 0.84.1, 0.85.0, 0.85.1, 1.4.12, 1.5.0, 1.5.1, 1.5.2, 1.6.0, 1.7.0, 1.8.0, 1.8.1, 1.9.0, 1.10.0, 1.11.0, 1.12.0, 1.13.0, 1.14.0, 1.15.0, 1.16.0
All unaffected versions: 1.17.0, 1.18.0, 1.19.0, 1.20.0, 1.21.0, 1.22.0