Observable Discrepancy
CVE-2023-32691
Summary
The package github.com/ginuerzh/gost is vulnerable to Timing attacks which occur when an attacker can guess a secret by observing a difference in processing time for valid and invalid inputs. Sensitive secrets such as passwords, tokens, and API keys should be compared only using a "constant-time comparison function".
- HIGH
- NETWORK
- NONE
- UNCHANGED
- NONE
- NONE
- HIGH
- NONE
CWE-203 - Observable Discrepancy
The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not.
References
Advisory Timeline
- Published