CVE-2016-5429 Information
Feb 14, 2021
cve
Description
jose-php before 2.2.1 does not use constant-time operations for HMAC comparison which makes it easier for remote attackers to obtain sensitive information via a timing attack related to JWE.php and JWS.php.
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Reference
http://www.securityfocus.com/bid/92743 https://github.com/nov/jose-php/commit/1cce55e27adf0274193eb1cd74b927a398a3df4bdiff-2a982d82ef0f673fd0ba2beba0e18420R138 https://github.com/nov/jose-php/commit/f03b986b4439e20b0fd635109b48afe96cf0099bdiff-37b0d289d6375ba4a7740401950ccdd6R287
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction Required
NONE
Scope
NONE
Confidentiality Impact
UNCHANGED
Integrity Impact
LOW
Availability Impact
NONE
Base Score
NONE
Base Severity
3.7
Share on: