CVE-2015-7576: Timing attack vulnerability in basic authentication

February 15, 2016 (updated August 8, 2019)

Due to the way that Action Controller compares user names and passwords in basic authentication authorization code, it is possible for an attacker to analyze the time taken by a response and intuit the password. You can tell you application is vulnerable to this attack by looking for http_basic_authenticate_with method calls in your application.

References

groups.google.com/forum/

Detect and mitigate CVE-2015-7576 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →