CVE-2024-30257

Description

1Panel is an open source Linux server operation and maintenance management panel. The password verification in the source code uses the != symbol instead hmac.Equal. This may lead to a timing attack vulnerability. This vulnerability is fixed in 1.10.3-lts.

CVSS breakdown

CVSS 3.1

Attack Vector

Network

Attack Complexity

High

Privileges Required

High

User Interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

Low

Affected products

1Panel-dev / 1Panel< 1.10.3-lts – < 1.10.3-lts

References

VENDOR_ADVISORYhttps://github.com/1Panel-dev/1Panel/security/advisories/GHSA-6m9h-2pr2-9j8f
MISChttps://github.com/1Panel-dev/1Panel/blob/dev/backend/app/service/auth.go#L81C5-L81C26