CVE-2024-30257: 1Panel's password verification is suspected to have a timing attack vulnerability

April 18, 2024 (updated February 11, 2025)

源码中密码校验处使用 != 符号，而不是hmac.Equal，这可能导致产生计时攻击漏洞，从而爆破密码。建议使用 hmac.Equal 比对密码。

Translation:

The source code uses the != symbol instead of hmac.Equal for password verification, which may lead to timing attack vulnerabilities that can lead to password cracking. It is recommended to use hmac. Equal to compare passwords.

References

github.com/1Panel-dev/1Panel
github.com/1Panel-dev/1Panel/blob/dev/backend/app/service/auth.go
github.com/1Panel-dev/1Panel/security/advisories/GHSA-6m9h-2pr2-9j8f
github.com/advisories/GHSA-6m9h-2pr2-9j8f
nvd.nist.gov/vuln/detail/CVE-2024-30257

Detect and mitigate CVE-2024-30257 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →