CVE-2022-24912 | Mend Vulnerability Database

Vulnerability DatabaseCVE-2022-24912

CVE-2022-24912

July 29, 2022

The package github.com/runatlantis/atlantis/server/controllers/events before 0.19.7 are vulnerable to Timing Attack in the webhook event validator code, which does not use a constant-time comparison function to validate the webhook secret. It can allow an attacker to recover this secret as an attacker and then forge webhook events.

Related Resources (6)

https://github.com/runatlantis/atlantis/issues/2391

https://github.com/runatlantis/atlantis/commit/48870911974adddaa4c99c8089e79b7d787fa820

https://github.com/runatlantis/atlantis/pull/2392

https://nvd.nist.gov/vuln/detail/CVE-2022-24912

https://github.com/runatlantis/atlantis

https://pkg.go.dev/vuln/GO-2022-0534

Do you need more information?

CVSS v4

Base Score:

8.7

Attack Vector

NETWORK

Attack Complexity

LOW

Attack Requirements

NONE

Privileges Required

NONE

User Interaction

NONE

Vulnerable System Confidentiality

HIGH

Vulnerable System Integrity

NONE

Vulnerable System Availability

NONE

Subsequent System Confidentiality

NONE

Subsequent System Integrity

NONE

Subsequent System Availability

NONE

CVSS v3

Base Score:

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Weakness Type (CWE)

Observable Timing Discrepancy

CWE-208

Observable Discrepancy

CWE-203

EPSS

Base Score:

0.22

Products

Solutions

Resources

Company

Compare

Developer Tools