CVE-2022-24912

Name of the Vulnerable Software and Affected Versions github.com/runatlantis/atlantis/server/controllers/events versions prior to 0.19.7

Description The issue is related to a timing attack in the webhook event validator code, which does not use a constant-time comparison function to validate the webhook secret. This can allow an attacker to recover the secret and then forge webhook events. The validation of Gitlab requests can also leak secrets due to the use of a non-constant time comparison for secrets.

Recommendations For versions prior to 0.19.7, update to version 0.19.7 or later to resolve the issue. As a temporary workaround, consider disabling the webhook event validator code until a patch is available. Restrict access to the github.com/runatlantis/atlantis/server/controllers/events package to minimize the risk of exploitation. Avoid using the webhook secret in the affected API endpoint until the issue is resolved.