icon

We found results for “

WS-2022-0140

Good to know:

icon
icon

Date: November 3, 2024

Ibexa DXP is using random execution time to hinder timing attacks against user accounts, a method of discovering whether a given account exists in a system without knowing its password, thus affecting privacy. This implementation was found to not be good enough in some situations. The fix replaces this with constant time functionality, configured in the new security.yml parameter 'ibexa.security.authentication.constant_auth_time'. It will log a warning if the constant time is exceeded. If this happens the setting should be increased.

Language: PHP

Severity Score

Severity Score

Weakness Type (CWE)

Observable Timing Discrepancy

CWE-208

Top Fix

icon

Upgrade Version

Upgrade to version ezsystems/ezpublish-kernel - v7.5.29

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): LOW
Integrity (I): NONE
Availability (A): NONE

Do you need more information?

Contact Us