CVE-2021-4294Observable Timing Discrepancy in Openshift Osin

CWE-208Observable Timing DiscrepancyCWE-203Observable DiscrepancyCWE-20Improper Input Validation7 documents5 sources
Severity
5.9MEDIUMNVD
CNA2.6
EPSS
0.2%
top 57.63%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Github.com Openshift OsinOpenshift OsinRedhat Openshift Container Platform+1 more
Timeline
PublishedDec 28
Latest updateFeb 27

Description

A vulnerability was found in OpenShift OSIN. It has been classified as problematic. This affects the function ClientSecretMatches/CheckClientSecret. The manipulation of the argument secret leads to observable timing discrepancy. The name of the patch is 8612686d6dda34ae9ef6b5a974e4b7accb4fea29. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-216987.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages3 packages

Gogithub.com/openshift_osin< 1.0.2-0.20210113124101-8612686d6dda
CVEListV5openshift/osinn/a
NVDredhat/openshift_osin1.0.0, 1.0.1+1

Also affects: Openshift Container Platform 4.0

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

4
OSV
Timing attack in github.com/openshift/osin2023-01-03
GHSA
OpenShift OSIN vulnerable to Observable Timing Discrepancy2022-12-28
CVEList
OpenShift OSIN CheckClientSecret timing discrepancy2022-12-28
OSV
OpenShift OSIN vulnerable to Observable Timing Discrepancy2022-12-28

📋Vendor Advisories

2
Red Hat
kernel: io_uring: fix shared sqpoll cancellation hangs2024-02-27
Red Hat
osin: manipulation of the argument secret leads to observable timing discrepancy2022-12-28
CVE-2021-4294 — Observable Timing Discrepancy | cvebase