CiviCRM's REST API traditionally requires two keys, the "API Key" and the "Site Key". The "Site Key" could potentially be extracted by a "timing attack". In this scenario, an attacker would send many invalid requests, build a statistical profile, and infer the most likely value.
CiviCRM versions 5.35.0 and earlier
CiviCRM version 5.35.1 and ESR version 5.33.3
Upgrade to the latest version of CiviCRM
Alternatively, HTTP rate-limiting may mitigate or delay timing attacks. However, rate-limiting does not categorically prevent them.
Tim Otten of CiviCRM Core for reporting the issue
Tim Otten of CiviCRM Core Team and Rich Lott of Artfulrobot for fixing the issue
Deutsche Gesellschaft für Internationale Zusammenarbeit (GIZ) GmbH for funding the fix
security/core#104