Skip to content

Login timing attack in ezsystems/ezpublish-kernel

Critical severity GitHub Reviewed Published May 31, 2022 in ezsystems/ezpublish-kernel • Updated May 1, 2023

Package

composer ezsystems/ezpublish-kernel (Composer)

Affected versions

>= 7.5.0, < 7.5.29

Patched versions

7.5.29

Description

Ibexa DXP is using random execution time to hinder timing attacks against user accounts, a method of discovering whether a given account exists in a system without knowing its password, thus affecting privacy. This implementation was found to not be good enough in some situations. The fix replaces this with constant time functionality, configured in the new security.yml parameter 'ibexa.security.authentication.constant_auth_time'. It will log a warning if the constant time is exceeded. If this happens the setting should be increased.

References

@glye glye published to ezsystems/ezpublish-kernel May 31, 2022
Published to the GitHub Advisory Database Jun 2, 2022
Reviewed Jun 2, 2022
Last updated May 1, 2023

Severity

Critical

Weaknesses

CVE ID

No known CVE

GHSA ID

GHSA-xfqg-p48g-hh94

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.