Timing Attack Affecting github.com/runatlantis/atlantis/server/controllers/events package, versions <0.19.7
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.Test your applications
- Snyk ID SNYK-GOLANG-GITHUBCOMRUNATLANTISATLANTISSERVERCONTROLLERSEVENTS-2950851
- published 27 Jul 2022
- disclosed 15 Jul 2022
- credit cedws
How to fix?
github.com/runatlantis/atlantis/server/controllers/events to version 0.19.7 or higher.
Affected versions of this package are vulnerable to Timing Attack in the webhook event validator code, which does not use a constant-time comparison function to validate the webhook secret. It can allow an attacker to recover this secret as an attacker and then forge webhook events.