1Panel's password verification is suspected to have a timing attack vulnerability

GHSA-6m9h-2pr2-9j8f · CVE-2024-30257 · GO-2024-2734

Published Apr 18, 2024 · Modified Feb 11, 2025

Description

Summary

源码中密码校验处使用 != 符号，而不是hmac.Equal，这可能导致产生计时攻击漏洞，从而爆破密码。
建议使用 hmac.Equal 比对密码。

Translation:

The source code uses the != symbol instead of hmac.Equal for password verification, which may lead to timing attack vulnerabilities that can lead to password cracking. It is recommended to use hmac. Equal to compare passwords.

Details

https://github.com/1Panel-dev/1Panel/blob/dev/backend/app/service/auth.go#L81C5-L81C26

Impact

该产品的所有使用者。

Translation:

All users of this product.

References

WEB https://github.com/1Panel-dev/1Panel/security/advisories/GHSA-6m9h-2pr2-9j8f
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2024-30257
PACKAGE https://github.com/1Panel-dev/1Panel
WEB https://github.com/1Panel-dev/1Panel/blob/dev/backend/app/service/auth.go#L81C5-L81C26

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes