1Panel's password verification is suspected to have a timing attack vulnerability
Description
Published by the National Vulnerability Database
Apr 18, 2024
Published to the GitHub Advisory Database
Apr 18, 2024
Reviewed
Apr 18, 2024
Last updated
Apr 18, 2024
Summary
源码中密码校验处使用 != 符号,而不是
hmac.Equal
,这可能导致产生计时攻击漏洞,从而爆破密码。建议使用
hmac.Equal
比对密码。Details
https://github.com/1Panel-dev/1Panel/blob/dev/backend/app/service/auth.go#L81C5-L81C26
PoC
Impact
该产品的所有使用者。
References