GHSA-6pq8-67pw-j6hw

Suggest an improvement
Source
https://github.com/advisories/GHSA-6pq8-67pw-j6hw
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-6pq8-67pw-j6hw/GHSA-6pq8-67pw-j6hw.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-6pq8-67pw-j6hw
Published
2024-05-17T23:03:25Z
Modified
2024-05-17T23:15:45.995697Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
Time-Based Information Disclosure Vulnerability in Flow
Details

The PersistedUsernamePasswordProvider was prone to a information disclosure of account existance based on timing attacks as the hashing of passwords was only done in case an account was found. We changed the core so that the provider always does a password comparison in case credentials were submitted at all.

Database specific
{
    "nvd_published_at": null,
    "cwe_ids": [],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-05-17T23:03:25Z"
}
References

Affected packages

Packagist / neos/flow

Package

Name
neos/flow
Purl
pkg:composer/neos/flow

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.3.0
Fixed
2.3.16

Affected versions

2.*

2.3.0
2.3.1
2.3.2
2.3.3
2.3.4
2.3.5
2.3.6
2.3.7
2.3.8
2.3.9
2.3.10
2.3.11
2.3.12
2.3.13
2.3.14
2.3.15

Packagist / neos/flow

Package

Name
neos/flow
Purl
pkg:composer/neos/flow

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.0.0
Fixed
3.0.10

Affected versions

3.*

3.0.0
3.0.1
3.0.2
3.0.3
3.0.4
3.0.5
3.0.6
3.0.7
3.0.8
3.0.9

Packagist / neos/flow

Package

Name
neos/flow
Purl
pkg:composer/neos/flow

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.1.0
Fixed
3.1.7

Affected versions

3.*

3.1.0
3.1.1
3.1.2
3.1.3
3.1.4
3.1.5
3.1.6

Packagist / neos/flow

Package

Name
neos/flow
Purl
pkg:composer/neos/flow

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.2.0
Fixed
3.2.7

Affected versions

3.*

3.2.0
3.2.1
3.2.2
3.2.3
3.2.4
3.2.5
3.2.6

Packagist / neos/flow

Package

Name
neos/flow
Purl
pkg:composer/neos/flow

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.3.0
Fixed
3.3.5

Affected versions

3.*

3.3.0
3.3.1
3.3.2
3.3.3
3.3.4