CVE-2023-32691

Name of the Vulnerable Software and Affected Versions gost (GO Simple Tunnel) (affected versions not specified)

Description The issue arises from the comparison of untrusted input, sourced from an HTTP header, with a secret using a non-constant time comparison function. This allows an attacker to mount a side-channel timing attack to guess the password. Sensitive secrets such as passwords, token, and API keys should be compared only using a constant-time comparison function.

Recommendations As a temporary workaround, consider using a constant time comparing function such as crypto/subtle's ConstantTimeCompare to compare sensitive secrets. Apply the provided patch to fix the timing attack vulnerability in the auth.go file. Use the ConstantTimeCompare function from the crypto/subtle package to securely compare passwords, as shown in the example fix. At the moment, there is no information about a newer version that contains a fix for this vulnerability.