data/reports/GO-2020-0023.yaml - vulndb - Git at Google

 id: GO-2020-0023
 modules:
     - module: github.com/robbert229/jwt
       versions:
         - fixed: 0.0.0-20170426191122-ca1404ee6e83
       vulnerable_at: 0.0.0-20170303194658-2eb16e9a008d
       packages:
         - package: github.com/robbert229/jwt
           symbols:
             - Algorithm.validateSignature
           derived_symbols:
             - Algorithm.Validate
 summary: Timing side-channel in github.com/robbert229/jwt
 description: |-
     Token validation methods are susceptible to a timing side-channel during HMAC
     comparison. With a large enough number of requests over a low latency
     connection, an attacker may use this to determine the expected HMAC.
 published: 2021-04-14T20:04:52Z
 ghsas:
     - GHSA-5vw4-v588-pgv8
 references:
     - fix: https://github.com/robbert229/jwt/commit/ca1404ee6e83fcbafb66b09ed0d543850a15b654
     - web: https://github.com/robbert229/jwt/issues/12
 cve_metadata:
     id: CVE-2015-10004
     cwe: 'CWE 208: Information Exposure Through Timing Discrepancy'
	id: GO-2020-0023
	modules:
	- module: github.com/robbert229/jwt
	versions:
	- fixed: 0.0.0-20170426191122-ca1404ee6e83
	vulnerable_at: 0.0.0-20170303194658-2eb16e9a008d
	packages:
	- package: github.com/robbert229/jwt
	symbols:
	- Algorithm.validateSignature
	derived_symbols:
	- Algorithm.Validate
	summary: Timing side-channel in github.com/robbert229/jwt
	description: \|-
	Token validation methods are susceptible to a timing side-channel during HMAC
	comparison. With a large enough number of requests over a low latency
	connection, an attacker may use this to determine the expected HMAC.
	published: 2021-04-14T20:04:52Z
	ghsas:
	- GHSA-5vw4-v588-pgv8
	references:
	- fix: https://github.com/robbert229/jwt/commit/ca1404ee6e83fcbafb66b09ed0d543850a15b654
	- web: https://github.com/robbert229/jwt/issues/12
	cve_metadata:
	id: CVE-2015-10004
	cwe: 'CWE 208: Information Exposure Through Timing Discrepancy'