CVE-2022-48366
Description
An issue was discovered in eZ Platform Ibexa Kernel before 1.3.19. It allows determining account existence via a timing attack.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
eZ Platform Ibexa Kernel before 1.3.19 allows user enumeration via a timing attack on the login functionality.
Vulnerability
Description CVE-2022-48366 is a timing attack vulnerability in eZ Platform Ibexa Kernel, affecting versions before 1.3.19. The login mechanism used random execution time to hinder timing attacks, but this implementation was insufficient, allowing attackers to determine whether a given account exists by measuring response times [1][3].
Exploitation
An unauthenticated attacker can exploit this by sending login requests with different usernames and measuring the response time discrepancies. The timing difference reveals whether the account exists, enabling user enumeration without needing to know the password [3][4].
Impact
Successful exploitation allows an attacker to identify valid user accounts on the system, compromising user privacy. This information can be used for targeted attacks such as brute-force or credential stuffing [3].
Mitigation
The vulnerability is fixed in Ibexa Kernel version 1.3.19 and later. The fix replaces the random delay with constant-time authentication, configured via the 'ibexa.security.authentication.constant_auth_time' parameter. Users should upgrade to the patched version as soon as possible [3][4].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
ezsystems/ezplatform-kernelPackagist | >= 1.3.0, < 1.3.19 | 1.3.19 |
ezsystems/ezpublish-kernelPackagist | >= 7.5.0, < 7.5.29 | 7.5.29 |
Affected products
4- eZ Platform/Ibexa Kerneldescription
- Range: <1.3.19
- ghsa-coords2 versions
>= 1.3.0, < 1.3.19+ 1 more
- (no CPE)range: >= 1.3.0, < 1.3.19
- (no CPE)range: >= 7.5.0, < 7.5.29
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-66m4-gc8h-hpjxghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-48366ghsaADVISORY
- developers.ibexa.co/security-advisories/ibexa-sa-2022-006-vulnerabilities-in-page-builder-login-and-commerceghsaWEB
- github.com/ezsystems/ezplatform-kernel/security/advisories/GHSA-342c-vcff-2ff2ghsaWEB
- github.com/ezsystems/ezpublish-kernel/security/advisories/GHSA-xfqg-p48g-hh94ghsaWEB
News mentions
0No linked articles in our index yet.