x/vulndb: potential Go vuln in github.com/svix/svix-webhooks: CVE-2024-21491 #2548
Assignees
Labels
excluded: NOT_GO_CODE
This vulnerability does not refer to a Go module.
Comments
neild
added
the
excluded: NOT_GO_CODE
|
Change https://go.dev/cl/568036 mentions this issue: |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
CVE-2024-21491 references github.com/svix/svix-webhooks, which may be a Go module.
Description:
Versions of the package svix before 1.17.0 are vulnerable to Authentication Bypass due to an issue in the verify function where signatures of different lengths are incorrectly compared. An attacker can bypass signature verification by providing a shorter signature that matches the beginning of the actual signature.
Note:
The attacker would need to know a victim uses the Rust library for verification,no easy way to automatically check that; and uses webhooks by a service that uses Svix, and then figure out a way to craft a malicious payload that will actually include all of the correct identifiers needed to trick the receivers to cause actual issues.
References:
Cross references:
No existing reports found with this module or alias.
See doc/triage.md for instructions on how to triage this report.
The text was updated successfully, but these errors were encountered: