Vulnerabilities > CVE-2023-32691 - Information Exposure Through Discrepancy vulnerability in GO Simple Tunnel Project GO Simple Tunnel
Attack vector
NETWORK Attack complexity
HIGH Privileges required
NONE Confidentiality impact
HIGH Integrity impact
NONE Availability impact
NONE Summary
gost (GO Simple Tunnel) is a simple tunnel written in golang. Sensitive secrets such as passwords, token and API keys should be compared only using a constant-time comparison function. Untrusted input, sourced from a HTTP header, is compared directly with a secret. Since this comparison is not secure, an attacker can mount a side-channel timing attack to guess the password. As a workaround, this can be easily fixed using a constant time comparing function such as `crypto/subtle`'s `ConstantTimeCompare`.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
References
- https://github.com/ginuerzh/gost/blob/1c62376e0880e4094bd3731e06bd4f7842638f6a/auth.go#L46
- https://github.com/ginuerzh/gost/security/advisories/GHSA-qjrq-hm79-49ww
- https://github.com/ginuerzh/gost/blob/1c62376e0880e4094bd3731e06bd4f7842638f6a/auth.go#L46
- https://github.com/ginuerzh/gost/security/advisories/GHSA-qjrq-hm79-49ww