github.com/openshift/osin is vulnerable to timing attacks. The vulnerability exists because the ClientSecretMatches
function in client.go
and CheckClientSecret
function in util.go
does not compare hashes in constant time, allowing an attacker to progressively use the timing of the request to identify a valid hash.