Vulnerabilities > CVE-2022-24912 - Information Exposure Through Discrepancy vulnerability in Runatlantis Atlantis
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
NONE Availability impact
NONE Summary
The package github.com/runatlantis/atlantis/server/controllers/events before 0.19.7 are vulnerable to Timing Attack in the webhook event validator code, which does not use a constant-time comparison function to validate the webhook secret. It can allow an attacker to recover this secret as an attacker and then forge webhook events.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
References
- https://github.com/runatlantis/atlantis/commit/48870911974adddaa4c99c8089e79b7d787fa820
- https://github.com/runatlantis/atlantis/commit/48870911974adddaa4c99c8089e79b7d787fa820
- https://github.com/runatlantis/atlantis/issues/2391
- https://github.com/runatlantis/atlantis/issues/2391
- https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMRUNATLANTISATLANTISSERVERCONTROLLERSEVENTS-2950851
- https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMRUNATLANTISATLANTISSERVERCONTROLLERSEVENTS-2950851