You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Description:
gost (GO Simple Tunnel) is a simple tunnel written in golang. Sensitive secrets such as passwords, token and API keys should be compared only using a constant-time comparison function. Untrusted input, sourced from a HTTP header, is compared directly with a secret. Since this comparison is not secure, an attacker can mount a side-channel timing attack to guess the password. As a workaround, this can be easily fixed using a constant time comparing function such as crypto/subtle's ConstantTimeCompare.
Cross references:
No existing reports found with this module or alias.
See doc/triage.md for instructions on how to triage this report.
modules:
- module: github.com/ginuerzh/gost
packages:
- package: gost
description: "gost (GO Simple Tunnel) is a simple tunnel written in golang. Sensitive
secrets such as passwords, token and API keys should be compared only using a
constant-time comparison function. Untrusted input, sourced from a HTTP header,
is compared directly with a secret. Since this comparison is not secure, an attacker
can mount a side-channel timing attack to guess the password. As a workaround,
this can be easily fixed using a constant time comparing function such as `crypto/subtle`'s
`ConstantTimeCompare`. \n\n"
cves:
- CVE-2023-32691
references:
- advisory: https://github.com/ginuerzh/gost/security/advisories/GHSA-qjrq-hm79-49ww
- web: https://github.com/ginuerzh/gost/blob/1c62376e0880e4094bd3731e06bd4f7842638f6a/auth.go#L46
The text was updated successfully, but these errors were encountered:
CVE-2023-32691 references github.com/ginuerzh/gost, which may be a Go module.
Description:
gost (GO Simple Tunnel) is a simple tunnel written in golang. Sensitive secrets such as passwords, token and API keys should be compared only using a constant-time comparison function. Untrusted input, sourced from a HTTP header, is compared directly with a secret. Since this comparison is not secure, an attacker can mount a side-channel timing attack to guess the password. As a workaround, this can be easily fixed using a constant time comparing function such as
crypto/subtle
'sConstantTimeCompare
.References:
Cross references:
No existing reports found with this module or alias.
See doc/triage.md for instructions on how to triage this report.
The text was updated successfully, but these errors were encountered: