Timing Attack Affecting jwt package, versions <0.1.6
Snyk CVSS
Attack Complexity
Low
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-RUBY-JWT-20387
- published 5 Jul 2017
- disclosed 5 Mar 2013
- credit Micah Gates
How to fix?
Upgrade jwt
to version 0.1.6 or higher.
Overview
jwt
is a pure ruby implementation of the RFC 7519 OAuth JSON Web Token (JWT) standard.
Affected versions of the package are vulnerable to Timing Attacks due to time-variable comparison of signatures. A malicious user can guess a valid signature one char at a time by considering the time it takes a signature validation to fail.
For more information on Timing Attacks, see our blog