CVE-2022-24912

Observable Discrepancy in go/github.com/runatlantis/atlantis/server/controllers/events

Identifiers

GHSA-jxqv-jcvh-7gr4, CVE-2022-24912

Package Slug

go/github.com/runatlantis/atlantis/server/controllers/events

Vulnerability

Observable Discrepancy

Description

The package github.com/runatlantis/atlantis/server/controllers/events before 0.19.7 is vulnerable to Timing Attack in the webhook event validator code, which does not use a constant-time comparison function to validate the webhook secret. It can allow an attacker to recover this secret as an attacker and then forge webhook events.

Affected Versions

All versions before 0.19.7

Solution

Upgrade to version 0.19.7 or above.

Last Modified

2022-08-09

source