Timing Attack Affecting ezsystems/ezpublish-kernel package, versions >=7.5.0, <7.5.29


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.09% (41st percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-PHP-EZSYSTEMSEZPUBLISHKERNEL-2858330
  • published3 Jun 2022
  • disclosed2 Jun 2022
  • creditChristoph Rottermanner @ sec.it, Jonas Roller @ sec.it

Introduced: 2 Jun 2022

CVE-2022-48366  (opens in a new tab)
CWE-208  (opens in a new tab)

How to fix?

Upgrade ezsystems/ezpublish-kernel to version 7.5.29 or higher.

Overview

ezsystems/ezpublish-kernel is a kernel used by ezsystems/ezplatform and derivatives. Provides the Content Repository, its APIs, and the application's Symfony framework integration.

Affected versions of this package are vulnerable to Timing Attack. Ibexa DXP is using random execution time to hinder timing attacks against user accounts, a method of discovering whether a given account exists in a system without knowing its password, thus affecting privacy. This implementation was found to not be good enough in some situations.

CVSS Scores

version 3.1