Flow-SA-2016-001: Time-Based Information Disclosure Vulnerability

November 1, 2016

The PersistedUsernamePasswordProvider is prone to a information disclosure of account existence based on timing attacks as the hashing of passwords is only done in case an account is found.

References

www.neos.io/blog/flow-sa-2016-001.html

Detect and mitigate Flow-SA-2016-001 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →