CVE-2024-22893

Name of the Vulnerable Software and Affected Versions OpenSlides version 4.0.15

Description The issue allows attackers to obtain information about the password hash using a timing attack, as the password verification function in OpenSlides has content-dependent runtime. This means the function takes different times to compare password hashes, potentially revealing sensitive information.

Recommendations For OpenSlides version 4.0.15, consider implementing a constant-time comparison function for password hashes to prevent timing attacks. As a temporary workaround, restrict access to the password verification function until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.