Skip to content

1Panel's password verification is suspected to have a timing attack vulnerability

Low severity GitHub Reviewed Published Apr 18, 2024 in 1Panel-dev/1Panel • Updated Aug 3, 2024

Package

gomod github.com/1Panel-dev/1Panel (Go)

Affected versions

< 1.10.3

Patched versions

1.10.3

Description

Summary

源码中密码校验处使用 != 符号,而不是hmac.Equal,这可能导致产生计时攻击漏洞,从而爆破密码。
建议使用 hmac.Equal 比对密码。

Translation:

The source code uses the != symbol instead of hmac.Equal for password verification, which may lead to timing attack vulnerabilities that can lead to password cracking. It is recommended to use hmac. Equal to compare passwords.

Details

https://github.com/1Panel-dev/1Panel/blob/dev/backend/app/service/auth.go#L81C5-L81C26

Impact

该产品的所有使用者。

Translation:

All users of this product.

References

@wanghe-fit2cloud wanghe-fit2cloud published to 1Panel-dev/1Panel Apr 18, 2024
Published by the National Vulnerability Database Apr 18, 2024
Published to the GitHub Advisory Database Apr 18, 2024
Reviewed Apr 18, 2024
Last updated Aug 3, 2024

Severity

Low
3.9
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
High
Privileges required
High
User interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L

Weaknesses

CVE ID

CVE-2024-30257

GHSA ID

GHSA-6m9h-2pr2-9j8f

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.