Skip to content

Time-Based Information Disclosure Vulnerability in Flow

Moderate severity GitHub Reviewed Published Jun 5, 2024 to the GitHub Advisory Database

Package

composer typo3/flow (Composer)

Affected versions

>= 2.3.0, < 2.3.16
>= 3.0.0, < 3.0.10
>= 3.1.0, < 3.1.7
>= 3.2.0, < 3.2.7
>= 3.3.0, < 3.3.5

Patched versions

2.3.16
3.0.10
3.1.7
3.2.7
3.3.5

Description

The PersistedUsernamePasswordProvider was prone to a information disclosure of account existance based on timing attacks as the hashing of passwords was only done in case an account was found. We changed the core so that the provider always does a password comparison in case credentials were submitted at all.

References

Published to the GitHub Advisory Database Jun 5, 2024
Reviewed Jun 5, 2024

Severity

Moderate

Weaknesses

No CWEs

CVE ID

No known CVE

GHSA ID

GHSA-r6mm-wmhf-849m

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.