CVE-2015-10004 — Timing side-channel in github.com/robbert229/jwt

描述

Token validation methods are susceptible to a timing side-channel during HMAC comparison. With a large enough number of requests over a low latency connection, an attacker may use this to determine the expected HMAC.

如何修補 CVE-2015-10004

要修補 CVE-2015-10004,請將受影響套件升級到下列已修補版本。

Go/github.com/robbert229/jwt—升級至 0.0.0-20170426191122-ca1404ee6e83 或更新版本
—升級至 0.0.0-20170426191122-ca1404ee6e83 或更新版本

CVE-2015-10004 正在被利用嗎?

低 — EPSS 為 0.3%,目前沒有觀察到大規模利用活動。

受影響套件(2)

from 0, < 0.0.0-20170426191122-ca1404ee6e83
from 0, < 0.0.0-20170426191122-ca1404ee6e83

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

參考連結(5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2015-10004
PATCHgithub.com/robbert229/jwt
WEBgithub.com/robbert229/jwt/commit/ca1404ee6e83fcbafb66b09ed0d543850a15b654
WEBgithub.com/robbert229/jwt/issues/12
WEB