Timing Attack Affecting jose-node-esm-runtime package, versions <3.11.4
Threat Intelligence
EPSS
0.15% (52nd
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-JOSENODEESMRUNTIME-1251483
- published 18 Apr 2021
- disclosed 18 Apr 2021
- credit Morgan Brown
Introduced: 18 Apr 2021
CVE-2021-29445 Open this link in a new tabHow to fix?
Upgrade jose-node-esm-runtime
to version 3.11.4 or higher.
Overview
jose-node-esm-runtime is a (Node.JS ESM Runtime) 'JSON Web Almost Everything' - JWA, JWS, JWE, JWT, JWK with no dependencies
Affected versions of this package are vulnerable to Timing Attack. A difference in task execution timing may be observed in the AES_CBC_HMAC_SHA2 Algorithm when a padding error occurs during decryption, which may allow a malicious actor to decrypt data without the key.
References
CVSS Scores
version 3.1