Cedws

**Name of the Vulnerable Software and Affected Versions** github.com/runatlantis/atlantis/server/controllers/events versions prior to 0.19.7 **Description** The issue is related to a timing attack in the webhook event validator code, which does not use a constant-time comparison function to validate the webhook secret. This can allow an attacker to recover the secret and then forge webhook events. The validation of Gitlab requests can also leak secrets due to the use of a non-constant time comparison for secrets. **Recommendations** For versions prior to 0.19.7, update to version 0.19.7 or later to resolve the issue. As a temporary workaround, consider disabling the webhook event validator code until a patch is available. Restrict access to the `github.com/runatlantis/atlantis/server/controllers/events` package to minimize the risk of exploitation. Avoid using the `webhook secret` in the affected API endpoint until the issue is resolved.