GHSA-342c-vcff-2ff2: 
PHP vulnerability analysis and mitigation

A timing attack vulnerability (CVE-2022-48366) was discovered in eZ Platform Ibexa Kernel before version 1.3.19. The vulnerability was disclosed on May 31, 2022, affecting multiple components of the Ibexa DXP platform. The issue specifically relates to the authentication system's implementation of random execution time, which was intended to prevent timing attacks against user accounts but was found to be insufficient in certain situations (Ibexa Advisory).

The vulnerability is classified as CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization) with a CVSS v3.1 base score of 3.7 (LOW), vector string: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N. The issue stems from the system's implementation of random execution time meant to prevent timing attacks, which could allow attackers to determine whether user accounts exist in the system without knowing their passwords (NVD).

The vulnerability allows malicious actors to determine account existence through timing attacks, compromising user privacy. While the attack doesn't directly expose passwords or allow unauthorized access, it can reveal valid usernames in the system, which could be used as a stepping stone for further attacks (GitHub Advisory).

The vulnerability has been patched in version 1.3.19 of the ezplatform-kernel. The fix implements constant time functionality, configured through a new security.yml parameter 'ibexa.security.authentication.constantauthtime'. The system will log a warning if the constant time is exceeded, in which case the setting should be increased (Ibexa Advisory).

The vulnerability was responsibly disclosed by security researchers Christoph Rottermanner and Jonas Roller from it.sec, a consulting company specializing in information security, IT compliance, data protection, and IT forensics (Ibexa Advisory).