CVE-2022-48366

Name of the Vulnerable Software and Affected Versions eZ Platform Ibexa Kernel versions prior to 1.3.19

Description The issue allows determining account existence via a timing attack, affecting privacy. Ibexa DXP's implementation of random execution time to hinder timing attacks was found to be insufficient in some situations. The estimated number of potentially affected devices worldwide is not available. There is no information about real-world incidents where this issue was exploited. Technical details about exploitation include the use of timing attacks against user accounts, which can discover whether a given account exists in a system without knowing its password.

Recommendations For versions prior to 1.3.19, update to version 1.3.19 or later, which replaces the random execution time with constant time functionality, configured in the new security.yml parameter ibexa.security.authentication.constant auth time. As a temporary workaround, consider increasing the ibexa.security.authentication.constant auth time setting if a warning is logged due to the constant time being exceeded.