CVE-2023-32691 Vulnerability Analysis & Exploit Details

CVE-2023-32691 Vulnerability Summary

CVE-2023-32691: gost (GO Simple Tunnel) is a simple tunnel written in golang. Sensitive secrets such as passwords, token and API keys should be compared only using a constant-time comparison function. Untrusted input, sourced from a HTTP header, is compared directly with a secret. Since this comparison is not secure, an attacker can mount a side-channel timing attack to guess the password. As a workaround, this can be easily fixed using a constant time comparing function such as `crypto/subtle`'s `ConstantTimeCompare`.

Exploit Prediction Scoring System (EPSS)

The EPSS score estimates the probability that this vulnerability will be exploited in the near future.

EPSS Score: 0.194% (probability of exploit)

EPSS Percentile: 58.06% (lower percentile = lower relative risk)
This vulnerability is less risky than approximately 41.94% of others.

CVE-2023-32691 References

External References

• https://github.com/ginuerzh/gost/blob/1c62376e0880e4094bd3731e06bd4f7842638f6a/auth.go#L46
• https://github.com/ginuerzh/gost/security/advisories/GHSA-qjrq-hm79-49ww
• https://github.com/ginuerzh/gost/blob/1c62376e0880e4094bd3731e06bd4f7842638f6a/auth.go#L46
• https://github.com/ginuerzh/gost/security/advisories/GHSA-qjrq-hm79-49ww

CWE Common Weakness Enumeration

CAPEC Common Attack Pattern Enumeration and Classification

• Black Box Reverse Engineering CAPEC-189 An adversary discovers the structure, function, and composition of a type of computer software through black box analysis techniques. 'Black Box' methods involve interacting with the software indirectly, in the absence of direct access to the executable object. Such analysis typically involves interacting with the software at the boundaries of where the software interfaces with a larger execution environment, such as input-output vectors, libraries, or APIs. Black Box Reverse Engineering also refers to gathering physical side effects of a hardware device, such as electromagnetic radiation or sounds.

Vulnerable Configurations

• cpe:2.3:a:go_simple_tunnel_project:go_simple_tunnel:1.0:*:*:*:*:go:*:*
  cpe:2.3:a:go_simple_tunnel_project:go_simple_tunnel:1.0:*:*:*:*:go:*:*
• cpe:2.3:a:go_simple_tunnel_project:go_simple_tunnel:1.1:*:*:*:*:go:*:*
  cpe:2.3:a:go_simple_tunnel_project:go_simple_tunnel:1.1:*:*:*:*:go:*:*
• cpe:2.3:a:go_simple_tunnel_project:go_simple_tunnel:1.2:*:*:*:*:go:*:*
  cpe:2.3:a:go_simple_tunnel_project:go_simple_tunnel:1.2:*:*:*:*:go:*:*
• cpe:2.3:a:go_simple_tunnel_project:go_simple_tunnel:1.3:*:*:*:*:go:*:*
  cpe:2.3:a:go_simple_tunnel_project:go_simple_tunnel:1.3:*:*:*:*:go:*:*
• cpe:2.3:a:go_simple_tunnel_project:go_simple_tunnel:1.4:*:*:*:*:go:*:*
  cpe:2.3:a:go_simple_tunnel_project:go_simple_tunnel:1.4:*:*:*:*:go:*:*
• cpe:2.3:a:go_simple_tunnel_project:go_simple_tunnel:1.5:*:*:*:*:go:*:*
  cpe:2.3:a:go_simple_tunnel_project:go_simple_tunnel:1.5:*:*:*:*:go:*:*
• cpe:2.3:a:go_simple_tunnel_project:go_simple_tunnel:1.6:*:*:*:*:go:*:*
  cpe:2.3:a:go_simple_tunnel_project:go_simple_tunnel:1.6:*:*:*:*:go:*:*
• cpe:2.3:a:go_simple_tunnel_project:go_simple_tunnel:1.7:*:*:*:*:go:*:*
  cpe:2.3:a:go_simple_tunnel_project:go_simple_tunnel:1.7:*:*:*:*:go:*:*
• cpe:2.3:a:go_simple_tunnel_project:go_simple_tunnel:1.8:*:*:*:*:go:*:*
  cpe:2.3:a:go_simple_tunnel_project:go_simple_tunnel:1.8:*:*:*:*:go:*:*
• cpe:2.3:a:go_simple_tunnel_project:go_simple_tunnel:2.0:-:*:*:*:go:*:*
  cpe:2.3:a:go_simple_tunnel_project:go_simple_tunnel:2.0:-:*:*:*:go:*:*
• cpe:2.3:a:go_simple_tunnel_project:go_simple_tunnel:2.0:rc:*:*:*:go:*:*
  cpe:2.3:a:go_simple_tunnel_project:go_simple_tunnel:2.0:rc:*:*:*:go:*:*
• cpe:2.3:a:go_simple_tunnel_project:go_simple_tunnel:2.0:rc2:*:*:*:go:*:*
  cpe:2.3:a:go_simple_tunnel_project:go_simple_tunnel:2.0:rc2:*:*:*:go:*:*
• cpe:2.3:a:go_simple_tunnel_project:go_simple_tunnel:2.0:rc3:*:*:*:go:*:*
  cpe:2.3:a:go_simple_tunnel_project:go_simple_tunnel:2.0:rc3:*:*:*:go:*:*
• cpe:2.3:a:go_simple_tunnel_project:go_simple_tunnel:2.1:-:*:*:*:go:*:*
  cpe:2.3:a:go_simple_tunnel_project:go_simple_tunnel:2.1:-:*:*:*:go:*:*
• cpe:2.3:a:go_simple_tunnel_project:go_simple_tunnel:2.1:rc1:*:*:*:go:*:*
  cpe:2.3:a:go_simple_tunnel_project:go_simple_tunnel:2.1:rc1:*:*:*:go:*:*
• cpe:2.3:a:go_simple_tunnel_project:go_simple_tunnel:2.2:-:*:*:*:go:*:*
  cpe:2.3:a:go_simple_tunnel_project:go_simple_tunnel:2.2:-:*:*:*:go:*:*
• cpe:2.3:a:go_simple_tunnel_project:go_simple_tunnel:2.2:rc1:*:*:*:go:*:*
  cpe:2.3:a:go_simple_tunnel_project:go_simple_tunnel:2.2:rc1:*:*:*:go:*:*
• cpe:2.3:a:go_simple_tunnel_project:go_simple_tunnel:2.2:rc2:*:*:*:go:*:*
  cpe:2.3:a:go_simple_tunnel_project:go_simple_tunnel:2.2:rc2:*:*:*:go:*:*
• cpe:2.3:a:go_simple_tunnel_project:go_simple_tunnel:2.3:-:*:*:*:go:*:*
  cpe:2.3:a:go_simple_tunnel_project:go_simple_tunnel:2.3:-:*:*:*:go:*:*
• cpe:2.3:a:go_simple_tunnel_project:go_simple_tunnel:2.3:rc1:*:*:*:go:*:*
  cpe:2.3:a:go_simple_tunnel_project:go_simple_tunnel:2.3:rc1:*:*:*:go:*:*
• cpe:2.3:a:go_simple_tunnel_project:go_simple_tunnel:2.3:rc2:*:*:*:go:*:*
  cpe:2.3:a:go_simple_tunnel_project:go_simple_tunnel:2.3:rc2:*:*:*:go:*:*
• cpe:2.3:a:go_simple_tunnel_project:go_simple_tunnel:2.4:-:*:*:*:go:*:*
  cpe:2.3:a:go_simple_tunnel_project:go_simple_tunnel:2.4:-:*:*:*:go:*:*
• cpe:2.3:a:go_simple_tunnel_project:go_simple_tunnel:2.4:rc1:*:*:*:go:*:*
  cpe:2.3:a:go_simple_tunnel_project:go_simple_tunnel:2.4:rc1:*:*:*:go:*:*
• cpe:2.3:a:go_simple_tunnel_project:go_simple_tunnel:2.4:rc2:*:*:*:go:*:*
  cpe:2.3:a:go_simple_tunnel_project:go_simple_tunnel:2.4:rc2:*:*:*:go:*:*
• cpe:2.3:a:go_simple_tunnel_project:go_simple_tunnel:2.5:-:*:*:*:go:*:*
  cpe:2.3:a:go_simple_tunnel_project:go_simple_tunnel:2.5:-:*:*:*:go:*:*
• cpe:2.3:a:go_simple_tunnel_project:go_simple_tunnel:2.5:rc1:*:*:*:go:*:*
  cpe:2.3:a:go_simple_tunnel_project:go_simple_tunnel:2.5:rc1:*:*:*:go:*:*
• cpe:2.3:a:go_simple_tunnel_project:go_simple_tunnel:2.5:rc2:*:*:*:go:*:*
  cpe:2.3:a:go_simple_tunnel_project:go_simple_tunnel:2.5:rc2:*:*:*:go:*:*
• cpe:2.3:a:go_simple_tunnel_project:go_simple_tunnel:2.6:-:*:*:*:go:*:*
  cpe:2.3:a:go_simple_tunnel_project:go_simple_tunnel:2.6:-:*:*:*:go:*:*
• cpe:2.3:a:go_simple_tunnel_project:go_simple_tunnel:2.6.1:*:*:*:*:go:*:*
  cpe:2.3:a:go_simple_tunnel_project:go_simple_tunnel:2.6.1:*:*:*:*:go:*:*
• cpe:2.3:a:go_simple_tunnel_project:go_simple_tunnel:2.6:rc1:*:*:*:go:*:*
  cpe:2.3:a:go_simple_tunnel_project:go_simple_tunnel:2.6:rc1:*:*:*:go:*:*
• cpe:2.3:a:go_simple_tunnel_project:go_simple_tunnel:2.7.0:*:*:*:*:go:*:*
  cpe:2.3:a:go_simple_tunnel_project:go_simple_tunnel:2.7.0:*:*:*:*:go:*:*
• cpe:2.3:a:go_simple_tunnel_project:go_simple_tunnel:2.7.1:*:*:*:*:go:*:*
  cpe:2.3:a:go_simple_tunnel_project:go_simple_tunnel:2.7.1:*:*:*:*:go:*:*
• cpe:2.3:a:go_simple_tunnel_project:go_simple_tunnel:2.7.2:*:*:*:*:go:*:*
  cpe:2.3:a:go_simple_tunnel_project:go_simple_tunnel:2.7.2:*:*:*:*:go:*:*
• cpe:2.3:a:go_simple_tunnel_project:go_simple_tunnel:2.8.0:*:*:*:*:go:*:*
  cpe:2.3:a:go_simple_tunnel_project:go_simple_tunnel:2.8.0:*:*:*:*:go:*:*
• cpe:2.3:a:go_simple_tunnel_project:go_simple_tunnel:2.8.1:*:*:*:*:go:*:*
  cpe:2.3:a:go_simple_tunnel_project:go_simple_tunnel:2.8.1:*:*:*:*:go:*:*
• cpe:2.3:a:go_simple_tunnel_project:go_simple_tunnel:2.8.2:*:*:*:*:go:*:*
  cpe:2.3:a:go_simple_tunnel_project:go_simple_tunnel:2.8.2:*:*:*:*:go:*:*
• cpe:2.3:a:go_simple_tunnel_project:go_simple_tunnel:2.9.0:*:*:*:*:go:*:*
  cpe:2.3:a:go_simple_tunnel_project:go_simple_tunnel:2.9.0:*:*:*:*:go:*:*
• cpe:2.3:a:go_simple_tunnel_project:go_simple_tunnel:2.9.1:*:*:*:*:go:*:*
  cpe:2.3:a:go_simple_tunnel_project:go_simple_tunnel:2.9.1:*:*:*:*:go:*:*
• cpe:2.3:a:go_simple_tunnel_project:go_simple_tunnel:2.9.2:*:*:*:*:go:*:*
  cpe:2.3:a:go_simple_tunnel_project:go_simple_tunnel:2.9.2:*:*:*:*:go:*:*
• cpe:2.3:a:go_simple_tunnel_project:go_simple_tunnel:2.10.0:*:*:*:*:go:*:*
  cpe:2.3:a:go_simple_tunnel_project:go_simple_tunnel:2.10.0:*:*:*:*:go:*:*
• cpe:2.3:a:go_simple_tunnel_project:go_simple_tunnel:2.10.1:*:*:*:*:go:*:*
  cpe:2.3:a:go_simple_tunnel_project:go_simple_tunnel:2.10.1:*:*:*:*:go:*:*
• cpe:2.3:a:go_simple_tunnel_project:go_simple_tunnel:2.11.0:*:*:*:*:go:*:*
  cpe:2.3:a:go_simple_tunnel_project:go_simple_tunnel:2.11.0:*:*:*:*:go:*:*
• cpe:2.3:a:go_simple_tunnel_project:go_simple_tunnel:2.11.1:*:*:*:*:go:*:*
  cpe:2.3:a:go_simple_tunnel_project:go_simple_tunnel:2.11.1:*:*:*:*:go:*:*
• cpe:2.3:a:go_simple_tunnel_project:go_simple_tunnel:2.11.2:*:*:*:*:go:*:*
  cpe:2.3:a:go_simple_tunnel_project:go_simple_tunnel:2.11.2:*:*:*:*:go:*:*
• cpe:2.3:a:go_simple_tunnel_project:go_simple_tunnel:2.11.3:*:*:*:*:go:*:*
  cpe:2.3:a:go_simple_tunnel_project:go_simple_tunnel:2.11.3:*:*:*:*:go:*:*
• cpe:2.3:a:go_simple_tunnel_project:go_simple_tunnel:2.11.4:*:*:*:*:go:*:*
  cpe:2.3:a:go_simple_tunnel_project:go_simple_tunnel:2.11.4:*:*:*:*:go:*:*
• cpe:2.3:a:go_simple_tunnel_project:go_simple_tunnel:2.11.5:*:*:*:*:go:*:*
  cpe:2.3:a:go_simple_tunnel_project:go_simple_tunnel:2.11.5:*:*:*:*:go:*:*

Other 5 Recently Published CVEs Vulnerabilities

• CVE-2025-3800 – A vulnerability has been found in WCMS 11 and classified as critical. Affected by this vulnerability is an unknown functionality of the file app/co...
• CVE-2025-3799 – A vulnerability, which was classified as critical, was found in WCMS 11. Affected is an unknown function of the file app/controllers/AnonymousContr...
• CVE-2025-3798 – A vulnerability, which was classified as critical, has been found in WCMS 11. This issue affects the function sub of the file app/admin/AdvadminCon...
• CVE-2025-3661 – The SB Chart block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘className’ parameter in all versions up to, and inclu...
• CVE-2025-3404 – The Download Manager plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the savePackage func...