CVE-2024-30257: 1Panel's password verification is suspected to have a timing attack vulnerability

April 18, 2024

源码中密码校验处使用 != 符号，而不是hmac.Equal，这可能导致产生计时攻击漏洞，从而爆破密码。建议使用 hmac.Equal 比对密码。

References

github.com/1Panel-dev/1Panel
github.com/1Panel-dev/1Panel/blob/dev/backend/app/service/auth.go
github.com/1Panel-dev/1Panel/security/advisories/GHSA-6m9h-2pr2-9j8f
github.com/advisories/GHSA-6m9h-2pr2-9j8f
nvd.nist.gov/vuln/detail/CVE-2024-30257

Detect and mitigate CVE-2024-30257 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →