CVE-2022-48366 – ezsystems/ezpublish-kernel

Package

Manager: composer
Name: ezsystems/ezpublish-kernel
Vulnerable Version: >=7.5.0 <7.5.29

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00165 pctl0.38037

Details

Timing attack in eZ Platform Ibexa Ibexa DXP is using random execution time to hinder timing attacks against user accounts, a method of discovering whether a given account exists in a system without knowing its password, thus affecting privacy. This implementation was found to not be good enough in some situations. The fix replaces this with constant time functionality, configured in the new security.yml parameter 'ibexa.security.authentication.constant_auth_time'. It will log a warning if the constant time is exceeded. If this happens the setting should be increased.

Metadata

Created: 2023-03-12T06:30:21Z
Modified: 2025-03-04T19:07:18Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/03/GHSA-66m4-gc8h-hpjx/GHSA-66m4-gc8h-hpjx.json
CWE IDs: ["CWE-362"]
Alternative ID: GHSA-66m4-gc8h-hpjx
Finding: F124
Auto approve: 1