5.9

CVE-2021-4294

OpenShift OSIN CheckClientSecret timing discrepancy

A vulnerability was found in OpenShift OSIN. It has been classified as problematic. This affects the function ClientSecretMatches/CheckClientSecret. The manipulation of the argument secret leads to observable timing discrepancy. The name of the patch is 8612686d6dda34ae9ef6b5a974e4b7accb4fea29. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-216987.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
RedhatOpenshift Osin Version1.0.0
RedhatOpenshift Osin Version1.0.1
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.68% 0.473
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5.9 2.2 3.6
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
cna@vuldb.com 2.6 1.2 1.4
CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
CWE-203 Observable Discrepancy

The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor.

CWE-208 Observable Timing Discrepancy

Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not.

https://github.com/openshift/osin/commit/8612686d6dda34ae9ef6b5a974e4b7accb4fea29
Patch
https://github.com/openshift/osin/pull/200
Issue Tracking
https://vuldb.com/?ctiid.216987
Permissions Required
https://vuldb.com/?id.216987
Permissions Required