0.0
high
  • Attack Complexity

    Low

  • Confidentiality

    High

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • snyk-id

    SNYK-GOLANG-GITHUBCOMRUNATLANTISATLANTISSERVERCONTROLLERSEVENTS-2950851

  • published

    27 Jul 2022

  • disclosed

    15 Jul 2022

  • credit

    cedws

How to fix?

Upgrade github.com/runatlantis/atlantis/server/controllers/events to version 0.19.7 or higher.

Overview

Affected versions of this package are vulnerable to Timing Attack in the webhook event validator code, which does not use a constant-time comparison function to validate the webhook secret. It can allow an attacker to recover this secret as an attacker and then forge webhook events.