Severity by source
AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionGitHub Advisory
RELATE is a web-based courseware package. Prior to commit 2f68e16, there is a timing attack vulnerability in course/auth.py - check_sign_in_key(). This issue has been patched via commit 2f68e16.
AnalysisAI
Timing attack vulnerability in RELATE's authentication module allows remote unauthenticated attackers to infer valid sign-in keys through response time analysis. The CWE-208 timing side-channel in course/auth.py's check_sign_in_key() function enables attackers to distinguish between valid and invalid authentication tokens by measuring server response latencies. While attack complexity is high (AC:H) due to the precise timing measurements required, successful exploitation grants full authentication bypass with cross-scope impact. Patched in commit 2f68e16. No public exploit identified at time of analysis. EPSS data not provided, CVSS 9.0 (Critical) reflects potential for complete system compromise via side-channel cryptanalysis.
Technical ContextAI
This is a CWE-208 (Observable Timing Discrepancy) vulnerability in RELATE, an open-source web-based courseware management system built in Python/Django. The vulnerable check_sign_in_key() function in course/auth.py performs authentication token validation using non-constant-time comparison operations. When verifying user-supplied sign-in keys against stored credentials, the function likely uses standard string equality operators that short-circuit on the first mismatching character, creating measurable timing differences. Attackers can exploit these microsecond-level variations to perform byte-by-byte key recovery: correct key prefixes take slightly longer to reject than completely wrong keys. This is a classic example of remote timing side-channel attacks against authentication systems, similar to historical vulnerabilities in password verification, HMAC validation, and cryptographic token comparison routines. The fix in commit 2f68e16 likely replaces vulnerable comparison logic with constant-time comparison functions (such as hmac.compare_digest() in Python) that always perform full-length comparisons regardless of where differences occur.
RemediationAI
Upgrade RELATE to commit 2f68e16cd3b96d25c188c1aa3f7e13cdb15cdaeb or later, available at https://github.com/inducer/relate/commit/2f68e16cd3b96d25c188c1aa3f7e13cdb15cdaeb. The patch replaces timing-vulnerable comparison operations with constant-time equivalents in the authentication key validation logic. For production deployments, pull the latest code from the main branch or apply the specific commit as a patch. If immediate patching is not feasible, implement network-level rate limiting to restrict authentication attempts to a maximum of 10 requests per IP address per minute, which significantly increases the time required for statistical timing analysis from hours to weeks. Additionally, deploy a web application firewall (WAF) with behavior-based anomaly detection to flag IP addresses performing repetitive authentication failures with consistent timing patterns. Note that rate limiting will impact legitimate users who mistype credentials multiple times and may require user support process adjustments. As a detection measure, enable detailed authentication logging with microsecond timestamps and monitor for patterns of rapid authentication failures from single source IPs, which may indicate timing attack reconnaissance.
An issue in inducer relate before v.2024.1 allows a remote attacker to execute arbitrary code via a crafted payload to t
Server-Side Template Injection (SSTI) vulnerability in inducer relate before v.2024.1 allows a remote attacker to execut
Remote code execution in RELATE LMS (the inducer/relate web courseware platform) stems from its Celery task queue being
Predictable token generation in RELATE courseware allows remote attackers to forge authentication and exam access tokens
Cross Site Scripting vulnerability in inducer relate before v.2024.1 allows a remote attacker to escalate privileges via
Server-Side Template Injection (SSTI) vulnerability in inducer relate before v.2024.1, allows remote attackers to execut
Same weakness CWE-208 – Observable Timing Discrepancy
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28656