| id: GO-2022-1201 |
| modules: |
| - module: github.com/openshift/osin |
| versions: |
| - fixed: 1.0.2-0.20210113124101-8612686d6dda |
| vulnerable_at: 1.0.1 |
| packages: |
| - package: github.com/openshift/osin |
| symbols: |
| - DefaultClient.ClientSecretMatches |
| - CheckClientSecret |
| derived_symbols: |
| - Server.HandleAccessRequest |
| - Server.HandleAuthorizeRequest |
| summary: Timing attack in github.com/openshift/osin |
| description: |- |
| Client secret checks are vulnerable to timing attacks, which could permit an |
| attacker to determine client secrets. |
| cves: |
| - CVE-2021-4294 |
| ghsas: |
| - GHSA-m7qp-cj9p-gj85 |
| references: |
| - fix: https://github.com/openshift/osin/pull/200 |
| - fix: https://github.com/openshift/osin/commit/8612686d6dda34ae9ef6b5a974e4b7accb4fea29 |
| review_status: REVIEWED |