Miggo Logo
Miggo Vulnerability Database
CVE-2022-24912

CVE-2022-24912:
Atlantis Events vulnerable to Timing Attack

7.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-24912
GHSA ID
GHSA-jxqv-jcvh-7gr4
EPSS Score
0.44725%
CWE
CWE-203
Published
7/30/2022
Updated
8/30/2023
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/runatlantis/atlantisgo< 0.19.70.19.7

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability was specifically patched by replacing a direct string comparison with crypto/subtle.ConstantTimeCompare in the ParseAndValidate method of the GitLab validator. The pre-patch code compared secrets using regular string equality checks (headerSecret != secretStr), which leaks timing information. This function is explicitly shown in the commit diff and referenced in all vulnerability reports as the attack vector. Other webhook validators (GitHub/Bitbucket) were not vulnerable as they used HMAC validation instead of direct secret comparison.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** p**k*** *it*u*.*om/run*tl*ntis/*tl*ntis/s*rv*r/*ontroll*rs/*v*nts ***or* *.**.* is vuln*r**l* to Timin* *tt**k in t** w***ook *v*nt v*li**tor *o**, w*i** *o*s not us* * *onst*nt-tim* *omp*rison *un*tion to v*li**t* t** w***ook s**r*t. It **n *llo

Reasoning

T** vuln*r**ility w*s sp**i*i**lly p*t**** *y r*pl**in* * *ir**t strin* *omp*rison wit* `*rypto/su*tl*.*onst*ntTim**omp*r*` in t** `P*rs**n*V*li**t*` m*t*o* o* t** *itL** v*li**tor. T** pr*-p*t** *o** *omp*r** s**r*ts usin* r**ul*r strin* *qu*lity **