CVE-2022-48366: 
PHP vulnerability analysis and mitigation

A timing attack vulnerability (CVE-2022-48366) was discovered in eZ Platform Ibexa Kernel before version 1.3.19, disclosed on March 12, 2023. The vulnerability affects multiple versions of Ibexa products including Commerce, Digital Experience Platform, and eZ Platform Kernel. This security issue allows attackers to determine account existence through timing analysis (Ibexa Advisory, NVD).

The vulnerability is classified as CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization). It has been assigned a CVSS v3.1 base score of 3.7 (Low severity) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N. The implementation of random execution time to prevent timing attacks against user accounts was found to be insufficient in certain situations (NVD).

The vulnerability allows malicious actors to discover whether specific user accounts exist in the system without knowing their passwords, potentially compromising user privacy. This information disclosure could be used as a stepping stone for further attacks (Ibexa Advisory).

The fix replaces the random execution time implementation with constant time functionality, configured in the security.yml parameter 'ibexa.security.authentication.constantauthtime'. The system will log a warning if the constant time is exceeded, in which case the setting should be increased. Users should upgrade to version 1.3.19 or later of the Ibexa Kernel (Ibexa Advisory).