Vulnerability Details CVE-2022-24912
The package github.com/runatlantis/atlantis/server/controllers/events before 0.19.7 are vulnerable to Timing Attack in the webhook event validator code, which does not use a constant-time comparison function to validate the webhook secret. It can allow an attacker to recover this secret as an attacker and then forge webhook events.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.002
EPSS Ranking 44.7%
CVSS Severity
CVSS v3 Score 7.5
References
- https://github.com/runatlantis/atlantis/commit/48870911974adddaa4c99c8089e79b7d787fa820
- https://github.com/runatlantis/atlantis/issues/2391
- https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMRUNATLANTISATLANTISSERVERCONTROLLERSEVENTS-2950851
- https://github.com/runatlantis/atlantis/commit/48870911974adddaa4c99c8089e79b7d787fa820
- https://github.com/runatlantis/atlantis/issues/2391
- https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMRUNATLANTISATLANTISSERVERCONTROLLERSEVENTS-2950851
Products affected by CVE-2022-24912
-
cpe:2.3:a:runatlantis:atlantis:0.1.0
-
cpe:2.3:a:runatlantis:atlantis:0.1.1
-
cpe:2.3:a:runatlantis:atlantis:0.1.2
-
cpe:2.3:a:runatlantis:atlantis:0.1.3
-
cpe:2.3:a:runatlantis:atlantis:0.10.0
-
cpe:2.3:a:runatlantis:atlantis:0.10.1
-
cpe:2.3:a:runatlantis:atlantis:0.10.2
-
cpe:2.3:a:runatlantis:atlantis:0.11.0
-
cpe:2.3:a:runatlantis:atlantis:0.11.1
-
cpe:2.3:a:runatlantis:atlantis:0.12.0
-
cpe:2.3:a:runatlantis:atlantis:0.13.0
-
cpe:2.3:a:runatlantis:atlantis:0.14.0
-
cpe:2.3:a:runatlantis:atlantis:0.15.0
-
cpe:2.3:a:runatlantis:atlantis:0.15.1
-
cpe:2.3:a:runatlantis:atlantis:0.16.0
-
cpe:2.3:a:runatlantis:atlantis:0.16.1
-
cpe:2.3:a:runatlantis:atlantis:0.17.0
-
cpe:2.3:a:runatlantis:atlantis:0.17.1
-
cpe:2.3:a:runatlantis:atlantis:0.17.2
-
cpe:2.3:a:runatlantis:atlantis:0.17.3
-
cpe:2.3:a:runatlantis:atlantis:0.17.4
-
cpe:2.3:a:runatlantis:atlantis:0.17.5
-
cpe:2.3:a:runatlantis:atlantis:0.17.6
-
cpe:2.3:a:runatlantis:atlantis:0.18.0
-
cpe:2.3:a:runatlantis:atlantis:0.18.1
-
cpe:2.3:a:runatlantis:atlantis:0.18.2
-
cpe:2.3:a:runatlantis:atlantis:0.18.3
-
cpe:2.3:a:runatlantis:atlantis:0.18.4
-
cpe:2.3:a:runatlantis:atlantis:0.18.5
-
cpe:2.3:a:runatlantis:atlantis:0.19.0
-
cpe:2.3:a:runatlantis:atlantis:0.19.1
-
cpe:2.3:a:runatlantis:atlantis:0.19.2
-
cpe:2.3:a:runatlantis:atlantis:0.19.3
-
cpe:2.3:a:runatlantis:atlantis:0.19.4
-
cpe:2.3:a:runatlantis:atlantis:0.19.5
-
cpe:2.3:a:runatlantis:atlantis:0.19.6
-
cpe:2.3:a:runatlantis:atlantis:0.2.0
-
cpe:2.3:a:runatlantis:atlantis:0.2.1
-
cpe:2.3:a:runatlantis:atlantis:0.2.2
-
cpe:2.3:a:runatlantis:atlantis:0.2.3
-
cpe:2.3:a:runatlantis:atlantis:0.2.4
-
cpe:2.3:a:runatlantis:atlantis:0.3.0
-
cpe:2.3:a:runatlantis:atlantis:0.3.1
-
cpe:2.3:a:runatlantis:atlantis:0.3.10
-
cpe:2.3:a:runatlantis:atlantis:0.3.11
-
cpe:2.3:a:runatlantis:atlantis:0.3.2
-
cpe:2.3:a:runatlantis:atlantis:0.3.3
-
cpe:2.3:a:runatlantis:atlantis:0.3.4
-
cpe:2.3:a:runatlantis:atlantis:0.3.5
-
cpe:2.3:a:runatlantis:atlantis:0.3.6
-
cpe:2.3:a:runatlantis:atlantis:0.3.7
-
cpe:2.3:a:runatlantis:atlantis:0.3.8
-
cpe:2.3:a:runatlantis:atlantis:0.3.9
-
cpe:2.3:a:runatlantis:atlantis:0.4.0
-
cpe:2.3:a:runatlantis:atlantis:0.4.1
-
cpe:2.3:a:runatlantis:atlantis:0.4.10
-
cpe:2.3:a:runatlantis:atlantis:0.4.11
-
cpe:2.3:a:runatlantis:atlantis:0.4.12
-
cpe:2.3:a:runatlantis:atlantis:0.4.13
-
cpe:2.3:a:runatlantis:atlantis:0.4.14
-
cpe:2.3:a:runatlantis:atlantis:0.4.15
-
cpe:2.3:a:runatlantis:atlantis:0.4.2
-
cpe:2.3:a:runatlantis:atlantis:0.4.3
-
cpe:2.3:a:runatlantis:atlantis:0.4.4
-
cpe:2.3:a:runatlantis:atlantis:0.4.5
-
cpe:2.3:a:runatlantis:atlantis:0.4.6
-
cpe:2.3:a:runatlantis:atlantis:0.4.7
-
cpe:2.3:a:runatlantis:atlantis:0.4.8
-
cpe:2.3:a:runatlantis:atlantis:0.4.9
-
cpe:2.3:a:runatlantis:atlantis:0.5.0
-
cpe:2.3:a:runatlantis:atlantis:0.5.1
-
cpe:2.3:a:runatlantis:atlantis:0.6.0
-
cpe:2.3:a:runatlantis:atlantis:0.7.0
-
cpe:2.3:a:runatlantis:atlantis:0.7.1
-
cpe:2.3:a:runatlantis:atlantis:0.7.2
-
cpe:2.3:a:runatlantis:atlantis:0.8.0
-
cpe:2.3:a:runatlantis:atlantis:0.8.1
-
cpe:2.3:a:runatlantis:atlantis:0.8.2
-
cpe:2.3:a:runatlantis:atlantis:0.8.3
-
cpe:2.3:a:runatlantis:atlantis:0.9.0