Vulnerability Instance
Lookup for vulnerabilities affecting packages.
GET /api/vulnerabilities/44660?format=api
{ "url": "http://public2.vulnerablecode.io/api/vulnerabilities/44660?format=api", "vulnerability_id": "VCID-jz3f-vywm-v7a7", "summary": "Timing attack in eZ Platform Ibexa\nIbexa DXP is using random execution time to hinder timing attacks against user accounts, a method of discovering whether a given account exists in a system without knowing its password, thus affecting privacy. This implementation was found to not be good enough in some situations. The fix replaces this with constant time functionality, configured in the new security.yml parameter 'ibexa.security.authentication.constant_auth_time'. It will log a warning if the constant time is exceeded. If this happens the setting should be increased.", "aliases": [ { "alias": "CVE-2022-48366" }, { "alias": "GHSA-66m4-gc8h-hpjx" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/64300?format=api", "purl": "pkg:composer/ezsystems/ezplatform-kernel@1.3.19", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezplatform-kernel@1.3.19" }, { "url": "http://public2.vulnerablecode.io/api/packages/64308?format=api", "purl": "pkg:composer/ezsystems/ezpublish-kernel@7.5.29", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-kernel@7.5.29" } ], "affected_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/60749?format=api", "purl": "pkg:composer/ezsystems/ezplatform-kernel@1.3.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-7fty-j3wj-aqf4" }, { "vulnerability": "VCID-98jr-a3av-8faw" }, { "vulnerability": "VCID-fjc8-x5ct-2uf3" }, { "vulnerability": "VCID-jz3f-vywm-v7a7" }, { "vulnerability": "VCID-m6hv-1sz4-mfff" }, { "vulnerability": "VCID-puj3-khrf-hfa6" }, { "vulnerability": "VCID-veax-u5rr-4kbv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezplatform-kernel@1.3.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/60248?format=api", "purl": "pkg:composer/ezsystems/ezpublish-kernel@7.5.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1eex-e332-37e8" }, { "vulnerability": "VCID-86hr-ej2a-ubbw" }, { "vulnerability": "VCID-jz3f-vywm-v7a7" }, { "vulnerability": "VCID-m6hv-1sz4-mfff" }, { "vulnerability": "VCID-q58t-76x6-mqgp" }, { "vulnerability": "VCID-tw5w-dvc4-gfh4" }, { "vulnerability": "VCID-ueng-9gm9-4qb2" }, { "vulnerability": "VCID-veax-u5rr-4kbv" }, { "vulnerability": "VCID-vpbp-kn99-hygk" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-kernel@7.5.0" } ], "references": [ { "reference_url": "https://developers.ibexa.co/security-advisories/ibexa-sa-2022-006-vulnerabilities-in-page-builder-login-and-commerce", "reference_id": "", "reference_type": "", "scores": [], "url": "https://developers.ibexa.co/security-advisories/ibexa-sa-2022-006-vulnerabilities-in-page-builder-login-and-commerce" }, { "reference_url": "https://github.com/ezsystems/ezplatform-kernel", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/ezsystems/ezplatform-kernel" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48366", "reference_id": "CVE-2022-48366", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48366" }, { "reference_url": "https://github.com/ezsystems/ezplatform-kernel/security/advisories/GHSA-342c-vcff-2ff2", "reference_id": "GHSA-342c-vcff-2ff2", "reference_type": "", "scores": [], "url": "https://github.com/ezsystems/ezplatform-kernel/security/advisories/GHSA-342c-vcff-2ff2" }, { "reference_url": "https://github.com/advisories/GHSA-66m4-gc8h-hpjx", "reference_id": "GHSA-66m4-gc8h-hpjx", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-66m4-gc8h-hpjx" }, { "reference_url": "https://github.com/ezsystems/ezpublish-kernel/security/advisories/GHSA-xfqg-p48g-hh94", "reference_id": "GHSA-xfqg-p48g-hh94", "reference_type": "", "scores": [], "url": "https://github.com/ezsystems/ezpublish-kernel/security/advisories/GHSA-xfqg-p48g-hh94" } ], "weaknesses": [ { "cwe_id": 362, "name": "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", "description": "The product contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently." }, { "cwe_id": 937, "name": "OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities", "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013." }, { "cwe_id": 1035, "name": "OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities", "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017." } ], "exploits": [], "severity_range_score": null, "exploitability": null, "weighted_severity": null, "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-jz3f-vywm-v7a7" }