Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Timing Attack
Vulnerability Description
The package github.com/runatlantis/atlantis/server/controllers/events before 0.19.7 are vulnerable to Timing Attack in the webhook event validator code, which does not use a constant-time comparison function to validate the webhook secret. It can allow an attacker to recover this secret as an attacker and then forge webhook events.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Vulnerability Type
N/A
Vulnerability Title
Atlantis 安全漏洞
Vulnerability Description
Atlantis是Atlantis开源的一个自托管的 golang 应用程序。通过 webhook 监听 Terraform 拉取请求事件。 Atlantis 0.19.7之前版本存在安全漏洞,该漏洞源于软件包github.com/runatlantis/atlantis/server/controllers/events在webhook事件验证器代码中存在Timing Attack漏洞,该代码没有使用恒定时间比较函数来验证webhook密钥,它可以让攻击者以攻击者的身份恢复这个秘密,然后伪造webhoo
CVSS Information
N/A
Vulnerability Type
N/A