Home > Vulnerability Database > WS-2022-0144

Mend.io Vulnerability Database

WS-2022-0144

Good to know:

Date: November 3, 2024

Ibexa DXP before 1.3.19 is using random execution time to hinder timing attacks against user accounts, a method of discovering whether a given account exists in a system without knowing its password, thus affecting privacy. This implementation was found to not be good enough in some situations. The fix replaces this with constant time functionality, configured in the new security.yml parameter 'ibexa.security.authentication.constant_auth_time'. It will log a warning if the constant time is exceeded. If this happens the setting should be increased.

Language: PHP

Severity Score

7.5

Related Resources (5)

Url: https://github.com/ezsystems/ezplatform-kernel

Url: https://github.com/ezsystems/ezplatform-kernel/security/advisories/GHSA-342c-vcff-2ff2

Url: https://github.com/ezsystems/ezplatform-kernel/commit/09d3ee4c36ce22f75d5ec3f22edf3d74eb158211

Url: https://developers.ibexa.co/security-advisories/ibexa-sa-2022-006-vulnerabilities-in-page-builder-login-and-commerce

Url: https://www.mend.io/vulnerability-database/WS-2022-0144

Severity Score

7.5

Weakness Type (CWE)

Observable Timing Discrepancy

CWE-208

Top Fix

Upgrade Version

Upgrade to version v1.3.19

Learn More

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

WS-2022-0144

Good to know:

Date: November 3, 2024

Language: PHP

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?