The verify function in Encryption/Symmetric.php in Malcolm Fell jwt before 1.0.3 does not use a timing-safe function for hash comparison, which allows attackers to spoof signatures via a timing attack.
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: redhat
Published: 2017-01-23T21:00:00
Updated: 2024-08-06T01:50:46.876Z
Reserved: 2016-08-23T00:00:00
Link: CVE-2016-7037
Vulnrichment
No data.
NVD
Status : Modified
Published: 2017-01-23T21:59:02.487
Modified: 2024-11-21T02:57:19.797
Link: CVE-2016-7037
Redhat
No data.