Do your applications use this vulnerable package? Test your applications

Overview

Affected version of github.com/robbert229/jwt are vulnerable to Side-channel Attacks.

The library uses the insecure, non-constant string comparison function strings.Compare(), instead of the time constant string comparison. As a result, the comparison will fail faster when the first characters in the HMAC are incorrect. An attacker can use this difference to perform a timing attack, essentially allowing them to guess the HMAC one character at a time.

Similar vulnerability was previously found in Google's Keyczar crytographic library.

You can read more about timing attacks in Node.js on the Snyk blog.

References

CVSS Score

3.7
low severity
  • Attack Vector
    Network
  • Attack Complexity
    High
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    None
  • Integrity
    Low
  • Availability
    None
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
Credit
Vetcher
CWE
CWE-208
Snyk ID
SNYK-GOLANG-GITHUBCOMROBBERT229JWT-50051
Disclosed
31 Mar, 2015
Published
01 Oct, 2017