CVE-2021-29443 - Vulnerability Details

Vendors	Products
Jose Project Subscribe	Jose Subscribe

Source	ID	Title
EUVD	EUVD-2021-0764	jose is an npm library providing a number of cryptographic operations. In vulnerable versions AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDecryptionFailed` would be thrown. A possibly observable difference in timing when padding error would occur while decrypting the ciphertext makes a padding oracle and an adversary might be able to make use of that oracle to decrypt data without knowing the decryption key by issuing on average 128*b calls to the padding oracle (where b is the number of bytes in the ciphertext block). All major release versions have had a patch released which ensures the HMAC tag is verified before performing CBC decryption. The fixed versions are `^1.28.1 \|\| ^2.0.5 \|\| >=3.11.4`. Users should upgrade their v1.x dependency to ^1.28.1, their v2.x dependency to ^2.0.5, and their v3.x dependency to ^3.11.4. Thanks to Jason from Microsoft Vulnerability Research (MSVR) for bringing this up and Eva Sarafianou (@esarafianou) for helping to score this advisory.
Github GHSA	GHSA-58f5-hfqc-jgch	Padding Oracle Attack due to Observable Timing Discrepancy in jose

Link	Providers
https://github.com/panva/jose/security/advisories/GHSA-58f5-hfqc-jgch
https://www.npmjs.com/package/jose

{"containers": {"cna": {"affected": [{"product": "jose", "vendor": "panva", "versions": [{"status": "affected", "version": "< 1.28.1"}, {"status": "affected", "version": ">= 2.0.0, < 2.0.5"}, {"status": "affected", "version": ">= 3.0.0, < 3.11.4"}]}], "descriptions": [{"lang": "en", "value": "jose is an npm library providing a number of cryptographic operations. In vulnerable versions AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDecryptionFailed` would be thrown. A possibly observable difference in timing when padding error would occur while decrypting the ciphertext makes a padding oracle and an adversary might be able to make use of that oracle to decrypt data without knowing the decryption key by issuing on average 128*b calls to the padding oracle (where b is the number of bytes in the ciphertext block). All major release versions have had a patch released which ensures the HMAC tag is verified before performing CBC decryption. The fixed versions are `^1.28.1 || ^2.0.5 || >=3.11.4`. Users should upgrade their v1.x dependency to ^1.28.1, their v2.x dependency to ^2.0.5, and their v3.x dependency to ^3.11.4. Thanks to Jason from Microsoft Vulnerability Research (MSVR) for bringing this up and Eva Sarafianou (@esarafianou) for helping to score this advisory."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-203", "description": "{\"CWE-203\":\"Observable Discrepancy\"}", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-04-16T17:35:11", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/panva/jose/security/advisories/GHSA-58f5-hfqc-jgch"}, {"tags": ["x_refsource_MISC"], "url": "https://www.npmjs.com/package/jose"}], "source": {"advisory": "GHSA-58f5-hfqc-jgch", "discovery": "UNKNOWN"}, "title": "Padding Oracle Attack due to Observable Timing Discrepancy in jose", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-29443", "STATE": "PUBLIC", "TITLE": "Padding Oracle Attack due to Observable Timing Discrepancy in jose"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "jose", "version": {"version_data": [{"version_value": "< 1.28.1"}, {"version_value": ">= 2.0.0, < 2.0.5"}, {"version_value": ">= 3.0.0, < 3.11.4"}]}}]}, "vendor_name": "panva"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "jose is an npm library providing a number of cryptographic operations. In vulnerable versions AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDecryptionFailed` would be thrown. A possibly observable difference in timing when padding error would occur while decrypting the ciphertext makes a padding oracle and an adversary might be able to make use of that oracle to decrypt data without knowing the decryption key by issuing on average 128*b calls to the padding oracle (where b is the number of bytes in the ciphertext block). All major release versions have had a patch released which ensures the HMAC tag is verified before performing CBC decryption. The fixed versions are `^1.28.1 || ^2.0.5 || >=3.11.4`. Users should upgrade their v1.x dependency to ^1.28.1, their v2.x dependency to ^2.0.5, and their v3.x dependency to ^3.11.4. Thanks to Jason from Microsoft Vulnerability Research (MSVR) for bringing this up and Eva Sarafianou (@esarafianou) for helping to score this advisory."}]}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "{\"CWE-203\":\"Observable Discrepancy\"}"}]}]}, "references": {"reference_data": [{"name": "https://github.com/panva/jose/security/advisories/GHSA-58f5-hfqc-jgch", "refsource": "CONFIRM", "url": "https://github.com/panva/jose/security/advisories/GHSA-58f5-hfqc-jgch"}, {"name": "https://www.npmjs.com/package/jose", "refsource": "MISC", "url": "https://www.npmjs.com/package/jose"}]}, "source": {"advisory": "GHSA-58f5-hfqc-jgch", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T22:02:52.017Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/panva/jose/security/advisories/GHSA-58f5-hfqc-jgch"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.npmjs.com/package/jose"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-29443", "datePublished": "2021-04-16T17:35:12", "dateReserved": "2021-03-30T00:00:00", "dateUpdated": "2024-08-03T22:02:52.017Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:jose_project:jose:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "B93ABC92-DD84-439F-A9B2-848231CAB2AE", "versionEndExcluding": "1.28.1", "versionStartIncluding": "1.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:jose_project:jose:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "6038A5A5-0704-44EF-BD09-BEBC67910809", "versionEndExcluding": "2.0.5", "versionStartIncluding": "2.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:jose_project:jose:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "3DD35FAA-86A6-4D32-92F7-99342CC196C5", "versionEndExcluding": "3.11.4", "versionStartIncluding": "3.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "jose is an npm library providing a number of cryptographic operations. In vulnerable versions AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDecryptionFailed` would be thrown. A possibly observable difference in timing when padding error would occur while decrypting the ciphertext makes a padding oracle and an adversary might be able to make use of that oracle to decrypt data without knowing the decryption key by issuing on average 128*b calls to the padding oracle (where b is the number of bytes in the ciphertext block). All major release versions have had a patch released which ensures the HMAC tag is verified before performing CBC decryption. The fixed versions are `^1.28.1 || ^2.0.5 || >=3.11.4`. Users should upgrade their v1.x dependency to ^1.28.1, their v2.x dependency to ^2.0.5, and their v3.x dependency to ^3.11.4. Thanks to Jason from Microsoft Vulnerability Research (MSVR) for bringing this up and Eva Sarafianou (@esarafianou) for helping to score this advisory."}, {"lang": "es", "value": "jose es una biblioteca npm que proporciona una serie de operaciones criptogr\u00e1ficas. En versiones vulnerables el algoritmo AES_CBC_HMAC_SHA2 (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512), el descifrado siempre ejecutaba tanto la verificaci\u00f3n de etiquetas HMAC como el descifrado CBC, si cualquiera de los dos presentaba un fallo, \"JWEDecryptionFailed\" ser\u00eda lanzado. Una posible diferencia observable en el tiempo cuando un error de padding podr\u00eda ocurrir al descifrar el texto cifrado crea un padding oracle y un adversario podr\u00eda ser capaz de hacer uso de ese oracle para descifrar datos sin conocer la clave de descifrado al emitir un promedio de 128*b llamadas padding oracle (donde b es el n\u00famero de bytes en el bloque de texto cifrado). Todas las versiones de lanzamiento principales han recibido un parche que garantiza que la etiqueta HMAC se verifique antes de llevar a cabo el descifrado CBC. Las versiones fijas son ^1.28.1 || ^2.0.5 || superiores o iguales a 3.11.4. Los usuarios deben actualizar su dependencia versiones v1.x hasta ^1.28.1, su dependencia versiones v2.x hasta ^ 2.0.5 y su dependencia versiones v3.x hasta ^3.11.4. Gracias a Jason de Microsoft Vulnerability Research (MSVR) por mencionar este tema y a Eva Sarafianou (@esarafianou) por ayudar a calificar este aviso"}], "id": "CVE-2021-29443", "lastModified": "2024-11-21T06:01:06.550", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-04-16T18:15:13.590", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/panva/jose/security/advisories/GHSA-58f5-hfqc-jgch"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://www.npmjs.com/package/jose"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/panva/jose/security/advisories/GHSA-58f5-hfqc-jgch"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.npmjs.com/package/jose"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-203"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-203"}], "source": "nvd@nist.gov", "type": "Primary"}]}

Metrics

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

Affected Vendors & Products

Projects

Metrics

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

Affected Vendors & Products

Projects

JSON object

JSON object

JSON object

JSON object

JSON object