What is the severity of CVE-2024-30257?

CVE-2024-30257 is classified as a medium severity vulnerability due to the risk of timing attacks affecting password security.

How do I fix CVE-2024-30257?

To fix CVE-2024-30257, modify the password comparison to use `hmac.Equal` instead of the `!=` symbol.

Who is affected by CVE-2024-30257?

All users of versions up to and including 1.10.3 of the 1Panel software are affected by CVE-2024-30257.

What type of attack does CVE-2024-30257 enable?

CVE-2024-30257 enables timing attacks that can facilitate password brute-forcing.

Which software versions are vulnerable to CVE-2024-30257?

The vulnerable versions of the software are all versions prior to 1.10.3 of the 1Panel package.

Vulnerability/
CVE-2024-30257

medium

5.9

CWE

203

18/4/2024

11/2/2025

CVE-2024-30257: 1Panel's password verification is suspected to have a timing attack vulnerability

First published: Thu Apr 18 2024(Updated: )

### Summary 源码中密码校验处使用 != 符号，而不是`hmac.Equal`，这可能导致产生计时攻击漏洞，从而爆破密码。建议使用 `hmac.Equal` 比对密码。 Translation: The source code uses the != symbol instead of hmac.Equal for password verification, which may lead to timing attack vulnerabilities that can lead to password cracking. It is recommended to use hmac. Equal to compare passwords. ### Details https://github.com/1Panel-dev/1Panel/blob/dev/backend/app/service/auth.go#L81C5-L81C26 ### Impact 该产品的所有使用者。 Translation: All users of this product.

Credit: security-advisories@github.com security-advisories@github.com

Affected Software	Affected Version	How to fix
go/github.com/1Panel-dev/1Panel	<1.10.3	1.10.3
Fit2cloud 1panel	<1.10.3-lts

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2024-30257?
CVE-2024-30257 is classified as a medium severity vulnerability due to the risk of timing attacks affecting password security.
How do I fix CVE-2024-30257?
To fix CVE-2024-30257, modify the password comparison to use `hmac.Equal` instead of the `!=` symbol.
Who is affected by CVE-2024-30257?
All users of versions up to and including 1.10.3 of the 1Panel software are affected by CVE-2024-30257.
What type of attack does CVE-2024-30257 enable?
CVE-2024-30257 enables timing attacks that can facilitate password brute-forcing.
Which software versions are vulnerable to CVE-2024-30257?
The vulnerable versions of the software are all versions prior to 1.10.3 of the 1Panel package.

agent/title
agent/weakness
agent/first-publish-date
agent/type
agent/references
agent/author
collector/nvd-cve
source/NVD
collector/github-advisory
source/GitHub
alias/GHSA-6m9h-2pr2-9j8f
alias/CVE-2024-30257
agent/software-canonical-lookup
agent/description
collector/mitre-cve
source/MITRE
agent/trending
agent/source
collector/github-advisory-latest
agent/last-modified-date
collector/nvd-api
agent/severity
agent/softwarecombine
agent/tags
agent/event
package-manager/go
vendor/fit2cloud
canonical/fit2cloud 1panel

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.