Timing Attack
Description
The package github.com/runatlantis/atlantis/server/controllers/events before 0.19.7 are vulnerable to Timing Attack in the webhook event validator code, which does not use a constant-time comparison function to validate the webhook secret. It can allow an attacker to recover this secret as an attacker and then forge webhook events.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Atlantis webhook validator before 0.19.7 uses non-constant-time comparison for GitLab webhook secret, enabling timing attacks to recover secret and forge events.
The GitLab webhook event validator in Atlantis (before version 0.19.7) does not use a constant-time comparison function when validating the webhook secret. Instead, it performs a simple string comparison (headerSecret != secretStr), which is vulnerable to timing attacks [1][4]. This allows an attacker to recover the secret by measuring response times.
An attacker can send crafted webhook requests and observe the time difference in responses to deduce the secret character by character. The attack requires network access to the Atlantis server and the ability to send HTTP requests to the webhook endpoint. No authentication is needed beyond the secret itself. The GitHub and Bitbucket validators are not vulnerable because they use HMACs [4].
Successful recovery of the webhook secret allows the attacker to forge valid webhook events, potentially triggering unauthorized actions in Atlantis (e.g., running terraform plans/applies). The risk is considered low due to the difficulty of precise timing measurements over the network, but it is a real threat [4].
The fix was implemented in pull request #2392 [2] and released in version 0.19.7. Users should upgrade to at least 0.19.7. The Go vulnerability database also lists this as GO-2022-0534 [3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/runatlantis/atlantisGo | < 0.19.7 | 0.19.7 |
Affected products
5- runatlantis/atlantisdescription
- osv-coords4 versionspkg:apk/chainguard/atlantispkg:apk/chainguard/atlantis-fipspkg:apk/wolfi/atlantispkg:golang/github.com/runatlantis/atlantis
< 0+ 3 more
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0.19.7
Patches
148870911974afix: use constant time comparison of webhook secret in gitlab event validator (#2392)
1 file changed · +2 −2
server/controllers/events/gitlab_request_parser_validator.go+2 −2 modified@@ -14,6 +14,7 @@ package events import ( + "crypto/subtle" "encoding/json" "fmt" "io" @@ -61,8 +62,7 @@ func (d *DefaultGitlabRequestParserValidator) ParseAndValidate(r *http.Request, // Validate secret if specified. headerSecret := r.Header.Get(secretHeader) - secretStr := string(secret) - if len(secret) != 0 && headerSecret != secretStr { + if len(secret) != 0 && subtle.ConstantTimeCompare(secret, []byte(headerSecret)) != 1 { return nil, fmt.Errorf("header %s=%s did not match expected secret", secretHeader, headerSecret) }
Vulnerability mechanics
Synthesis attempt was rejected by the grounding validator. Re-run pending.
References
7- github.com/advisories/GHSA-jxqv-jcvh-7gr4ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-24912ghsaADVISORY
- github.com/runatlantis/atlantis/commit/48870911974adddaa4c99c8089e79b7d787fa820ghsax_refsource_MISCWEB
- github.com/runatlantis/atlantis/issues/2391ghsax_refsource_MISCWEB
- github.com/runatlantis/atlantis/pull/2392ghsaWEB
- pkg.go.dev/vuln/GO-2022-0534ghsaWEB
- security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMRUNATLANTISATLANTISSERVERCONTROLLERSEVENTS-2950851ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.