Ibexa Kernel for eZ Platform allows determining account existence due to insufficient anti-timing attack method

Go back

severity: high
date: March 12, 2023
Affecting: ezpublish-kernel versions 7.5.0 upto 7.5.29
ezplatform-kernel versions 1.3.0 upto 1.3.19
CVE: CVE-2022-48366
CVE type: Observable Timing Discrepancy
CVSS: 3.7
CVSS V3 Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
References: GHSA-xfqg-p48g-hh94
GHSA-342c-vcff-2ff2
ibexa advisory