High severityNVD Advisory· Published Jul 29, 2022· Updated Sep 17, 2024
Timing Attack
CVE-2022-24912
Description
The package github.com/runatlantis/atlantis/server/controllers/events before 0.19.7 are vulnerable to Timing Attack in the webhook event validator code, which does not use a constant-time comparison function to validate the webhook secret. It can allow an attacker to recover this secret as an attacker and then forge webhook events.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/runatlantis/atlantisGo | < 0.19.7 | 0.19.7 |
Affected products
5- runatlantis/atlantisdescription
- osv-coords4 versionspkg:apk/chainguard/atlantispkg:apk/chainguard/atlantis-fipspkg:apk/wolfi/atlantispkg:golang/github.com/runatlantis/atlantis
< 0+ 3 more
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0.19.7
Patches
Vulnerability mechanics
References
7- github.com/advisories/GHSA-jxqv-jcvh-7gr4ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-24912ghsaADVISORY
- github.com/runatlantis/atlantis/commit/48870911974adddaa4c99c8089e79b7d787fa820ghsax_refsource_MISCWEB
- github.com/runatlantis/atlantis/issues/2391ghsax_refsource_MISCWEB
- github.com/runatlantis/atlantis/pull/2392ghsaWEB
- pkg.go.dev/vuln/GO-2022-0534ghsaWEB
- security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMRUNATLANTISATLANTISSERVERCONTROLLERSEVENTS-2950851ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.