Time-Based Information Disclosure Vulnerability in Flow
Moderate severity
GitHub Reviewed
Published
Jun 5, 2024
to the GitHub Advisory Database
Package
Affected versions
>= 2.3.0, < 2.3.16
>= 3.0.0, < 3.0.10
>= 3.1.0, < 3.1.7
>= 3.2.0, < 3.2.7
>= 3.3.0, < 3.3.5
Patched versions
2.3.16
3.0.10
3.1.7
3.2.7
3.3.5
Description
Published to the GitHub Advisory Database
Jun 5, 2024
Reviewed
Jun 5, 2024
The PersistedUsernamePasswordProvider was prone to a information disclosure of account existance based on timing attacks as the hashing of passwords was only done in case an account was found. We changed the core so that the provider always does a password comparison in case credentials were submitted at all.
References