Miggo Logo
Book a Demo
Miggo Vulnerability Database
CVE-2020-15151

CVE-2020-15151:
Observable Timing Discrepancy in OpenMage LTS

8

CVSS Score

Basic Information

CVE ID
CVE-2020-15151
GHSA ID
GHSA-crf2-xm6x-46p6
EPSS Score
-
CWE
CWE-203
Published
8/19/2020
Updated
2/1/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
openmage/magento-ltscomposer< 19.4.619.4.6
openmage/magento-ltscomposer>= 20.0.0, < 20.0.220.0.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The commit diff shows a critical change in _validateSecretKey() where a simple string comparison (secretKey != storedKey) was replaced with hash_equals(). Non-constant-time comparisons leak timing information about secret key matches, allowing attackers to brute-force the CSRF token. This directly maps to CWE-203 (Observable Discrepancy) and explains the CSRF vulnerability (CWE-352). The function's role in secret key validation makes it the clear vulnerable component.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t T*is vuln*r**ility *llows to *ir*umv*nt t** ***ormk*y prot**tion** in t** **min Int*r**** *n* in*r**s*s t** *tt**k sur**** *or ***ross Sit* R*qu*st *or**ry** *tt**ks ### P*t***s T** l*t*st Op*nM*** V*rsions up *rom **.*.* *n* **.*.* **v

Reasoning

T** *ommit *i** s*ows * *riti**l ***n** in _v*li**t*S**r*tK*y() w**r* * simpl* strin* *omp*rison (s**r*tK*y != stor**K*y) w*s r*pl**** wit* **s*_*qu*ls(). Non-*onst*nt-tim* *omp*risons l**k timin* in*orm*tion **out s**r*t k*y m*t***s, *llowin* *tt**k