Branch: refs/heads/master
Home:
https://github.com/Checkmk/checkmk
Commit: e7973e78ad0bdfb42671b3dcd326bcbd6a6b4b4d
https://github.com/Checkmk/checkmk/commit/e7973e78ad0bdfb42671b3dcd326bcbd6…
Author: Hannes Rantzsch <hannes.rantzsch(a)checkmk.com>
Date: 2023-11-21 (Tue, 21 Nov 2023)
Changed paths:
A .werks/15195
M cmk/gui/auth.py
M cmk/utils/crypto/secrets.py
M tests/unit/cmk/utils/crypto/test_secrets.py
Log Message:
-----------
15195 SEC Protect automation user secret against timing attacks
This Werks improves how the secret of an automation user is validated during login.
Prior to the Werk, the automation user's password was not checked in a way that is
safe against (theoretical) timing attacks.
This is fixed now.
Even though this Werk improves security, it does not address an exploitable
vulnerability.
To aid automated scanning we assign a CVSS score of 0.0 (None)
(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N).
CMK-15066
Change-Id: I23aebf47b235fecd5eb83fba15384f90f8a68625