Name of the Vulnerable Software and Affected Versions Ibexa DXP (affected versions not specified)

Description The issue concerns the privacy of user accounts due to insufficient protection against timing attacks. The current implementation of random execution time is not effective in all situations, allowing potential discovery of account existence without knowing the password. The problem is addressed by replacing the random execution time with constant time functionality.

Recommendations For Ibexa DXP, configure the new security.yml parameter 'ibexa.security.authentication.constant auth time' to enable constant time functionality for authentication. If a warning is logged indicating that the constant time is exceeded, increase the setting as needed to prevent such warnings.