| modules: |
| - module: github.com/runatlantis/atlantis |
| versions: |
| - fixed: 0.19.7 |
| vulnerable_at: 0.19.6 |
| packages: |
| - package: github.com/runatlantis/atlantis/server/controllers/events |
| symbols: |
| - DefaultGitlabRequestParserValidator.ParseAndValidate |
| description: | |
| Validation of Gitlab requests can leak secrets. |
| |
| The package github.com/runatlantis/atlantis/server/controllers/events uses a |
| non-constant time comparison for secrets while validating a Gitlab request. |
| This allows for a timing attack where an attacker can recover a secret and |
| then forge the request. |
| published: 2022-08-11T20:54:51Z |
| cves: |
| - CVE-2022-24912 |
| ghsas: |
| - GHSA-jxqv-jcvh-7gr4 |
| credit: cedws |
| references: |
| - fix: https://github.com/runatlantis/atlantis/pull/2392 |
| - fix: https://github.com/runatlantis/atlantis/commit/48870911974adddaa4c99c8089e79b7d787fa820 |
| - web: https://github.com/runatlantis/atlantis/issues/2391 |
| - web: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMRUNATLANTISATLANTISSERVERCONTROLLERSEVENTS-2950851 |