data/reports/GO-2020-0023.yaml - vulndb - Git at Google

 modules:
   - module: github.com/robbert229/jwt
     versions:
       - fixed: 0.0.0-20170426191122-ca1404ee6e83
     vulnerable_at: 0.0.0-20170303194658-2eb16e9a008d
     packages:
       - package: github.com/robbert229/jwt
         symbols:
           - Algorithm.validateSignature
         derived_symbols:
           - Algorithm.Validate
 description: |
     Token validation methods are susceptible to a timing side-channel
     during HMAC comparison. With a large enough number of requests
     over a low latency connection, an attacker may use this to determine
     the expected HMAC.
 published: 2021-04-14T20:04:52Z
 ghsas:
   - GHSA-5vw4-v588-pgv8
 references:
   - fix: https://github.com/robbert229/jwt/commit/ca1404ee6e83fcbafb66b09ed0d543850a15b654
   - web: https://github.com/robbert229/jwt/issues/12
 cve_metadata:
     id: CVE-2015-10004
     cwe: 'CWE 208: Information Exposure Through Timing Discrepancy'
	modules:
	- module: github.com/robbert229/jwt
	versions:
	- fixed: 0.0.0-20170426191122-ca1404ee6e83
	vulnerable_at: 0.0.0-20170303194658-2eb16e9a008d
	packages:
	- package: github.com/robbert229/jwt
	symbols:
	- Algorithm.validateSignature
	derived_symbols:
	- Algorithm.Validate
	description: \|
	Token validation methods are susceptible to a timing side-channel
	during HMAC comparison. With a large enough number of requests
	over a low latency connection, an attacker may use this to determine
	the expected HMAC.
	published: 2021-04-14T20:04:52Z
	ghsas:
	- GHSA-5vw4-v588-pgv8
	references:
	- fix: https://github.com/robbert229/jwt/commit/ca1404ee6e83fcbafb66b09ed0d543850a15b654
	- web: https://github.com/robbert229/jwt/issues/12
	cve_metadata:
	id: CVE-2015-10004
	cwe: 'CWE 208: Information Exposure Through Timing Discrepancy'