blob: 8c495dad6b409ba96c598c0826408cbc1d1a50c6 [file] [log] [blame]
id: GO-2020-0023
modules:
- module: github.com/robbert229/jwt
versions:
- fixed: 0.0.0-20170426191122-ca1404ee6e83
vulnerable_at: 0.0.0-20170303194658-2eb16e9a008d
packages:
- package: github.com/robbert229/jwt
symbols:
- Algorithm.validateSignature
derived_symbols:
- Algorithm.Validate
summary: Timing side-channel in github.com/robbert229/jwt
description: |-
Token validation methods are susceptible to a timing side-channel during HMAC
comparison. With a large enough number of requests over a low latency
connection, an attacker may use this to determine the expected HMAC.
published: 2021-04-14T20:04:52Z
ghsas:
- GHSA-5vw4-v588-pgv8
references:
- fix: https://github.com/robbert229/jwt/commit/ca1404ee6e83fcbafb66b09ed0d543850a15b654
- web: https://github.com/robbert229/jwt/issues/12
cve_metadata:
id: CVE-2015-10004
cwe: 'CWE 208: Information Exposure Through Timing Discrepancy'
review_status: REVIEWED