From 5bfa4eae493f3cc680b7ddcc9f0edeff66048e54 Mon Sep 17 00:00:00 2001
From: Henrique Cabral <hocabral37@gmail.com>
Date: Thu, 25 Sep 2025 21:23:28 -0300
Subject: [PATCH 1/2] New vuln: Observable Timing Discrepancy in
 hashicorp/consul

---
 input/new.json | 33 +++++++++++++++++++++------------
 1 file changed, 21 insertions(+), 12 deletions(-)

diff --git a/input/new.json b/input/new.json
index 87646b9a..0dd0992c 100644
--- a/input/new.json
+++ b/input/new.json
@@ -1,15 +1,24 @@
 {
-  "package_name": "",
-  "patch_versions": [],
-  "vulnerable_ranges": [],
-  "cwe": [],
-  "tldr": "",
-  "doest_this_affect_me": "",
-  "how_to_fix": "",
-  "vulnerable_to": "",
+  "package_name": "github.com/hashicorp/consul",
+  "patch_versions": [
+    "1.21.5"
+  ],
+  "vulnerable_ranges": [
+    [
+      "1.13.0",
+      "1.21.4"
+    ]
+  ],
+  "cwe": [
+    "CWE-208"
+  ],
+  "tldr": "Affected versions of this package are vulnerable to a timing attack due to the failure to use constant-time comparisons for sensitive values. This vulnerability occurs when the code compares sensitive data like passwords or tokens in a non-constant time manner, allowing differences in execution time to be measured. An attacker can exploit this by sending numerous requests with guessed values and analyzing the response times to infer correct characters or values incrementally. It could lead to the disclosure of sensitive information and unauthorized access to systems or user accounts.",
+  "doest_this_affect_me": "You are affected if you are using a version that falls within the vulnerable range.",
+  "how_to_fix": "Upgrade the `github.com/hashicorp/consul` library to the patch version.",
+  "vulnerable_to": "Observable Timing Discrepancy",
   "related_cve_id": "",
-  "language": "",
-  "severity_class": "",
-  "aikido_score": 0,
-  "changelog": ""
+  "language": "GO",
+  "severity_class": "LOW",
+  "aikido_score": 20,
+  "changelog": "https://github.com/hashicorp/consul/releases/tag/v1.21.5"
 }

From 940a54a170518a8010e41d75ad79618166dac700 Mon Sep 17 00:00:00 2001
From: "github-actions[bot]" <github-actions[bot]@users.noreply.github.com>
Date: Mon, 6 Oct 2025 14:36:59 +0000
Subject: [PATCH 2/2] Move new vulnerability to
 vulnerabilities/AIKIDO-2025-10663.json and reset new.json template

---
 input/new.json                         | 33 ++++++++++----------------
 vulnerabilities/AIKIDO-2025-10663.json | 26 ++++++++++++++++++++
 2 files changed, 38 insertions(+), 21 deletions(-)
 create mode 100644 vulnerabilities/AIKIDO-2025-10663.json

diff --git a/input/new.json b/input/new.json
index 0dd0992c..87646b9a 100644
--- a/input/new.json
+++ b/input/new.json
@@ -1,24 +1,15 @@
 {
-  "package_name": "github.com/hashicorp/consul",
-  "patch_versions": [
-    "1.21.5"
-  ],
-  "vulnerable_ranges": [
-    [
-      "1.13.0",
-      "1.21.4"
-    ]
-  ],
-  "cwe": [
-    "CWE-208"
-  ],
-  "tldr": "Affected versions of this package are vulnerable to a timing attack due to the failure to use constant-time comparisons for sensitive values. This vulnerability occurs when the code compares sensitive data like passwords or tokens in a non-constant time manner, allowing differences in execution time to be measured. An attacker can exploit this by sending numerous requests with guessed values and analyzing the response times to infer correct characters or values incrementally. It could lead to the disclosure of sensitive information and unauthorized access to systems or user accounts.",
-  "doest_this_affect_me": "You are affected if you are using a version that falls within the vulnerable range.",
-  "how_to_fix": "Upgrade the `github.com/hashicorp/consul` library to the patch version.",
-  "vulnerable_to": "Observable Timing Discrepancy",
+  "package_name": "",
+  "patch_versions": [],
+  "vulnerable_ranges": [],
+  "cwe": [],
+  "tldr": "",
+  "doest_this_affect_me": "",
+  "how_to_fix": "",
+  "vulnerable_to": "",
   "related_cve_id": "",
-  "language": "GO",
-  "severity_class": "LOW",
-  "aikido_score": 20,
-  "changelog": "https://github.com/hashicorp/consul/releases/tag/v1.21.5"
+  "language": "",
+  "severity_class": "",
+  "aikido_score": 0,
+  "changelog": ""
 }
diff --git a/vulnerabilities/AIKIDO-2025-10663.json b/vulnerabilities/AIKIDO-2025-10663.json
new file mode 100644
index 00000000..395408e8
--- /dev/null
+++ b/vulnerabilities/AIKIDO-2025-10663.json
@@ -0,0 +1,26 @@
+{
+  "package_name": "github.com/hashicorp/consul",
+  "patch_versions": [
+    "1.21.5"
+  ],
+  "vulnerable_ranges": [
+    [
+      "1.13.0",
+      "1.21.4"
+    ]
+  ],
+  "cwe": [
+    "CWE-208"
+  ],
+  "tldr": "Affected versions of this package are vulnerable to a timing attack due to the failure to use constant-time comparisons for sensitive values. This vulnerability occurs when the code compares sensitive data like passwords or tokens in a non-constant time manner, allowing differences in execution time to be measured. An attacker can exploit this by sending numerous requests with guessed values and analyzing the response times to infer correct characters or values incrementally. It could lead to the disclosure of sensitive information and unauthorized access to systems or user accounts.",
+  "doest_this_affect_me": "You are affected if you are using a version that falls within the vulnerable range.",
+  "how_to_fix": "Upgrade the `github.com/hashicorp/consul` library to the patch version.",
+  "vulnerable_to": "Observable Timing Discrepancy",
+  "related_cve_id": "",
+  "language": "GO",
+  "severity_class": "LOW",
+  "aikido_score": 20,
+  "changelog": "https://github.com/hashicorp/consul/releases/tag/v1.21.5",
+  "last_modified": "2025-10-06",
+  "published": "2025-10-06"
+}