| id: GO-2020-0023 |
| modules: |
| - module: github.com/robbert229/jwt |
| versions: |
| - fixed: 0.0.0-20170426191122-ca1404ee6e83 |
| vulnerable_at: 0.0.0-20170303194658-2eb16e9a008d |
| packages: |
| - package: github.com/robbert229/jwt |
| symbols: |
| - Algorithm.validateSignature |
| derived_symbols: |
| - Algorithm.Validate |
| summary: Timing side-channel in github.com/robbert229/jwt |
| description: |- |
| Token validation methods are susceptible to a timing side-channel during HMAC |
| comparison. With a large enough number of requests over a low latency |
| connection, an attacker may use this to determine the expected HMAC. |
| published: 2021-04-14T20:04:52Z |
| ghsas: |
| - GHSA-5vw4-v588-pgv8 |
| references: |
| - fix: https://github.com/robbert229/jwt/commit/ca1404ee6e83fcbafb66b09ed0d543850a15b654 |
| - web: https://github.com/robbert229/jwt/issues/12 |
| cve_metadata: |
| id: CVE-2015-10004 |
| cwe: 'CWE 208: Information Exposure Through Timing Discrepancy' |
| review_status: REVIEWED |