CVE-2022-24912

Published: Jul 29, 2022

Modified: Sep 17, 2024

PUBLISHED

CVSS v3.1

7.5

HIGH

Description

The package github.com/runatlantis/atlantis/server/controllers/events before 0.19.7 are vulnerable to Timing Attack in the webhook event validator code, which does not use a constant-time comparison function to validate the webhook secret. It can allow an attacker to recover this secret as an attacker and then forge webhook events.

Vendor	Product	Versions
n/a	github.com/runatlantis/atlantis/server/controllers/events	affected `unspecified - < 0.19.7`

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

References

https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMRUNATLANTISATLANTISSERVERCONTROLLERSEVENTS-2950851

x_refsource_MISC

https://github.com/runatlantis/atlantis/issues/2391

x_refsource_MISC

https://github.com/runatlantis/atlantis/commit/48870911974adddaa4c99c8089e79b7d787fa820

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2022-24912

Description

Affected Products

CVSS v3.1 Details

References