Timing Attack Vulnerability in Atlantis Webhook Event Validator

Timing Attack Vulnerability in Atlantis Webhook Event Validator

CVE-2022-24912 · HIGH Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

The package github.com/runatlantis/atlantis/server/controllers/events before 0.19.7 are vulnerable to Timing Attack in the webhook event validator code, which does not use a constant-time comparison function to validate the webhook secret. It can allow an attacker to recover this secret as an attacker and then forge webhook events.

Learn more about our Web App Pen Testing.