Timing Attacks Vulnerability in Apache Doris
CVE-2023-41313

9.8CRITICAL

Key Information:

Vendor: Apache
Status: Apache Doris
Vendor: CVE Published:; 12 March 2024

Summary

A vulnerability exists in the authentication method of Apache Doris, which is susceptible to timing attacks. This issue affects versions before 2.0.0 and poses a significant risk to data security by allowing attackers to exploit timing discrepancies during authentication processes. Users are strongly advised to upgrade to version 2.0.0 or 1.2.8 to mitigate the risk associated with this vulnerability.

Affected Version(s)

Apache Doris 0 < 1.2.8

References

https://lists.apache.org/thread/jqczy3vxzs6q6rz9o0626j5nk...

vendor-advisory

http://www.openwall.com/lists/oss-security/2024/03/10/2

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 12, 2024
Vulnerability Reserved
Aug 28, 2023

Credit

Andrea Cosentino from Apache Software Foundation