Vulnerability Report: GO-2020-0023
- CVE-2015-10004, GHSA-5vw4-v588-pgv8
- Affects: github.com/robbert229/jwt
- Published: Apr 14, 2021
- Modified: May 20, 2024
Token validation methods are susceptible to a timing side-channel during HMAC comparison. With a large enough number of requests over a low latency connection, an attacker may use this to determine the expected HMAC.
Affected Packages
-
PathGo VersionsSymbols
-
before v0.0.0-20170426191122-ca1404ee6e83
Aliases
References
- https://github.com/robbert229/jwt/commit/ca1404ee6e83fcbafb66b09ed0d543850a15b654
- https://github.com/robbert229/jwt/issues/12
- https://vuln.go.dev/ID/GO-2020-0023.json
Feedback
See anything missing or incorrect?
Suggest an edit to this report.