SimpleSAMLphp allows timing side-channel attacks
Moderate severity
GitHub Reviewed
Published
May 14, 2022
to the GitHub Advisory Database
•
Updated Feb 7, 2024
Package
Affected versions
< 1.15.0-rc1
Patched versions
1.15.0-rc1
Description
Published by the National Vulnerability Database
Sep 1, 2017
Published to the GitHub Advisory Database
May 14, 2022
Reviewed
Jul 26, 2023
Last updated
Feb 7, 2024
The (1) Htpasswd authentication source in the authcrypt module and (2) SimpleSAML_Session class in SimpleSAMLphp 1.14.11 and earlier allow remote attackers to conduct timing side-channel attacks by leveraging use of the standard comparison operator to compare secret material against user input.
References