Total
101 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-46570 | 1 Vllm | 1 Vllm | 2025-06-24 | N/A | 2.6 LOW |
| vLLM is an inference and serving engine for large language models (LLMs). Prior to version 0.9.0, when a new prompt is processed, if the PageAttention mechanism finds a matching prefix chunk, the prefill process speeds up, which is reflected in the TTFT (Time to First Token). These timing differences caused by matching chunks are significant enough to be recognized and exploited. This issue has been patched in version 0.9.0. | |||||
| CVE-2024-56738 | 1 Gnu | 1 Grub2 | 2025-06-24 | N/A | 5.3 MEDIUM |
| GNU GRUB (aka GRUB2) through 2.12 does not use a constant-time algorithm for grub_crypto_memcmp and thus allows side-channel attacks. | |||||
| CVE-2024-45191 | 1 Matrix | 1 Olm | 2025-06-17 | N/A | 5.3 MEDIUM |
| An issue was discovered in Matrix libolm through 3.2.16. The AES implementation is vulnerable to cache-timing attacks due to use of S-boxes. This is related to software that uses a lookup table for the SubWord step. This refers to the libolm implementation of Olm. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2024-13939 | 1 Fractal | 1 String\ | 2025-04-11 | N/A | 7.5 HIGH |
| String::Compare::ConstantTime for Perl through 0.321 is vulnerable to timing attacks that allow an attacker to guess the length of a secret string. As stated in the documentation: "If the lengths of the strings are different, because equals returns false right away the size of the secret string may be leaked (but not its contents)." This is similar to CVE-2020-36829 | |||||
| CVE-2010-10006 | 1 Jopenid Project | 1 Jopenid | 2025-04-03 | 1.4 LOW | 2.6 LOW |
| A vulnerability, which was classified as problematic, was found in michaelliao jopenid. Affected is the function getAuthentication of the file JOpenId/src/org/expressme/openid/OpenIdManager.java. The manipulation leads to observable timing discrepancy. The complexity of an attack is rather high. The exploitability is told to be difficult. Upgrading to version 1.08 is able to address this issue. The name of the patch is c9baaa976b684637f0d5a50268e91846a7a719ab. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-218460. | |||||
| CVE-2025-30344 | 1 Openslides | 1 Openslides | 2025-03-27 | N/A | 5.3 MEDIUM |
| An issue was discovered in OpenSlides before 4.2.5. During login at the /system/auth/login/ endpoint, the system's response times differ depending on whether a user exists in the system. The timing discrepancy stems from the omitted hashing of the password (e.g., more than 100 milliseconds). | |||||
| CVE-2020-35165 | 1 Dell | 2 Bsafe Crypto-c-micro-edition, Bsafe Micro-edition-suite | 2025-02-06 | N/A | 5.1 MEDIUM |
| Dell BSAFE Crypto-C Micro Edition, versions before 4.1.5, and Dell BSAFE Micro Edition Suite, versions before 4.6, contain an Observable Timing Discrepancy Vulnerability. | |||||
| CVE-2021-34337 | 1 Gnu | 1 Mailman | 2025-02-06 | N/A | 6.3 MEDIUM |
| An issue was discovered in Mailman Core before 3.3.5. An attacker with access to the REST API could use timing attacks to determine the value of the configured REST API password and then make arbitrary REST API calls. The REST API is bound to localhost by default, limiting the ability for attackers to exploit this, but can optionally be made to listen on other interfaces. | |||||
| CVE-2024-41828 | 1 Jetbrains | 1 Teamcity | 2024-11-21 | N/A | 2.6 LOW |
| In JetBrains TeamCity before 2024.07 comparison of authorization tokens took non-constant time | |||||
| CVE-2023-41097 | 1 Silabs | 1 Gecko Software Development Kit | 2024-11-21 | N/A | 4.6 MEDIUM |
| An Observable Timing Discrepancy, Covert Timing Channel vulnerability in Silabs GSDK on ARM potentially allows Padding Oracle Crypto Attack on CBC PKCS7.This issue affects GSDK: through 4.4.0. | |||||
| CVE-2023-40182 | 1 Silverwaregames | 1 Silverwaregames | 2024-11-21 | N/A | 3.7 LOW |
| Silverware Games is a premium social network where people can play games online. When using the Recovery form, a noticeably different amount of time passes depending of whether the specified email address presents in our database or not. This has been fixed in version 1.3.7. | |||||
| CVE-2020-4071 | 1 Django-basic-auth-ip-whitelist Project | 1 Django-basic-auth-ip-whitelist | 2024-11-21 | 2.1 LOW | 2.2 LOW |
| In django-basic-auth-ip-whitelist before 0.3.4, a potential timing attack exists on websites where the basic authentication is used or configured, i.e. BASIC_AUTH_LOGIN and BASIC_AUTH_PASSWORD is set. Currently the string comparison between configured credentials and the ones provided by users is performed through a character-by-character string comparison. This enables a possibility that attacker may time the time it takes the server to validate different usernames and password, and use this knowledge to work out the valid credentials. This attack is understood not to be realistic over the Internet. However, it may be achieved from within local networks where the website is hosted, e.g. from inside a data centre where a website's server is located. Sites protected by IP address whitelisting only are unaffected by this vulnerability. This vulnerability has been fixed on version 0.3.4 of django-basic-auth-ip-whitelist. Update to version 0.3.4 as soon as possible and change basic authentication username and password configured on a Django project using this package. A workaround without upgrading to version 0.3.4 is to stop using basic authentication and use the IP whitelisting component only. It can be achieved by not setting BASIC_AUTH_LOGIN and BASIC_AUTH_PASSWORD in Django project settings. | |||||
| CVE-2020-15237 | 1 Shrinerb | 1 Shrine | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
| In Shrine before version 3.3.0, when using the `derivation_endpoint` plugin, it's possible for the attacker to use a timing attack to guess the signature of the derivation URL. The problem has been fixed by comparing sent and calculated signature in constant time, using `Rack::Utils.secure_compare`. Users using the `derivation_endpoint` plugin are urged to upgrade to Shrine 3.3.0 or greater. A possible workaround is provided in the linked advisory. | |||||
| CVE-2014-125056 | 1 Pylonsproject | 1 Horus | 2024-11-21 | 1.4 LOW | 2.6 LOW |
| A vulnerability was found in Pylons horus and classified as problematic. Affected by this issue is some unknown functionality of the file horus/flows/local/services.py. The manipulation leads to observable timing discrepancy. The complexity of an attack is rather high. The exploitation is known to be difficult. The patch is identified as fd56ccb62ce3cbdab0484fe4f9c25c4eda6c57ec. It is recommended to apply a patch to fix this issue. VDB-217598 is the identifier assigned to this vulnerability. | |||||
| CVE-2014-125055 | 1 Easy-script Project | 1 Easy-script | 2024-11-21 | 1.4 LOW | 2.6 LOW |
| A vulnerability, which was classified as problematic, was found in agnivade easy-scrypt. Affected is the function VerifyPassphrase of the file scrypt.go. The manipulation leads to observable timing discrepancy. The complexity of an attack is rather high. The exploitability is told to be difficult. Upgrading to version 1.0.0 is able to address this issue. The name of the patch is 477c10cf3b144ddf96526aa09f5fdea613f21812. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-217596. | |||||
| CVE-2013-10006 | 1 Ziftrshop | 1 Primecoin | 2024-11-21 | 1.4 LOW | 2.6 LOW |
| A vulnerability classified as problematic was found in Ziftr primecoin up to 0.8.4rc1. Affected by this vulnerability is the function HTTPAuthorized of the file src/bitcoinrpc.cpp. The manipulation of the argument strUserPass/strRPCUserColonPass leads to observable timing discrepancy. The complexity of an attack is rather high. The exploitation appears to be difficult. Upgrading to version 0.8.4rc2 is able to address this issue. The patch is named cdb3441b5cd2c1bae49fae671dc4a496f7c96322. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-217171. | |||||
| CVE-2024-47178 | 1 Expressjs | 1 Basic-auth-connect | 2024-11-15 | N/A | 5.3 MEDIUM |
| basic-auth-connect is Connect's Basic Auth middleware in its own module. basic-auth-connect < 1.1.0 uses a timing-unsafe equality comparison that can leak timing information. This issue has been fixed in basic-auth-connect 1.1.0. | |||||
| CVE-2024-41741 | 1 Ibm | 1 Txseries For Multiplatforms | 2024-11-14 | N/A | 5.3 MEDIUM |
| IBM TXSeries for Multiplatforms 10.1 could allow an attacker to determine valid usernames due to an observable timing discrepancy which could be used in further attacks against the system. | |||||
| CVE-2024-45052 | 1 Ethyca | 1 Fides | 2024-09-06 | N/A | 5.3 MEDIUM |
| Fides is an open-source privacy engineering platform. Prior to version 2.44.0, a timing-based username enumeration vulnerability exists in Fides Webserver authentication. This vulnerability allows an unauthenticated attacker to determine the existence of valid usernames by analyzing the time it takes for the server to respond to login requests. The discrepancy in response times between valid and invalid usernames can be leveraged to enumerate users on the system. This vulnerability enables a timing-based username enumeration attack. An attacker can systematically guess and verify which usernames are valid by measuring the server's response time to authentication requests. This information can be used to conduct further attacks on authentication such as password brute-forcing and credential stuffing. The vulnerability has been patched in Fides version `2.44.0`. Users are advised to upgrade to this version or later to secure their systems against this threat. There are no workarounds. | |||||
| CVE-2024-1543 | 1 Wolfssl | 1 Wolfssl | 2024-09-04 | N/A | 5.5 MEDIUM |
| The side-channel protected T-Table implementation in wolfSSL up to version 5.6.5 protects against a side-channel attacker with cache-line resolution. In a controlled environment such as Intel SGX, an attacker can gain a per instruction sub-cache-line resolution allowing them to break the cache-line-level protection. For details on the attack refer to: https://doi.org/10.46586/tches.v2024.i1.457-500 | |||||