漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
Traefik: BasicAuth middleware: timing side-channel vulnerability
Vulnerability Description
Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is a timing side-channel vulnerability in Traefik's BasicAuth middleware that allows an attacker to enumerate valid usernames through response-time differences. The variable intended to hold a constant-time fallback secret always resolves to an empty string, causing the constant-time comparison to short-circuit in microseconds rather than performing a full bcrypt evaluation. This restores the original timing oracle and makes it possible to distinguish existing users from non-existing ones by measuring authentication response times. This issue has been patched in versions 2.11.43, 3.6.14, and 3.7.0-rc.2.
CVSS Information
N/A
Vulnerability Type
通过时间差异性导致的信息暴露
Vulnerability Title
Traefik 安全漏洞
Vulnerability Description
Traefik是Traefik开源的一款反向代理与负载均衡工具。 Traefik 2.11.43之前版本、3.6.14之前版本和3.7.0-rc.2之前版本存在安全漏洞,该漏洞源于BasicAuth中间件中用于常量时间比较的变量始终解析为空字符串,导致比较短路,可能允许攻击者通过响应时间差异枚举有效用户名。
CVSS Information
N/A
Vulnerability Type
N/A