First published: Thu Apr 18 2024(Updated: )
### Summary 源码中密码校验处使用 != 符号,而不是`hmac.Equal`,这可能导致产生计时攻击漏洞,从而爆破密码。 建议使用 `hmac.Equal` 比对密码。 ### Details https://github.com/1Panel-dev/1Panel/blob/dev/backend/app/service/auth.go#L81C5-L81C26 ### PoC ### Impact 该产品的所有使用者。
Affected Software | Affected Version | How to fix |
---|---|---|
go/github.com/1Panel-dev/1Panel | <1.10.3 | 1.10.3 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.