express-basic-auth Timing Attack due to native string comparison instead of constant time string comparison
- Severity:
- Low
Description
Versions of express-basic-auth prior to 1.1.7 are vulnerable to Timing Attacks. The package uses native string comparison instead of a constant time string comparison, which may lead to Timing Attacks.
Recommendation
Update the express-basic-auth package to the latest compatible version. Followings are version details:
- Affected version(s): < 1.1.7
- Patched version(s): 1.1.7
References
Related Issues
- Potential leakage of Sentry auth tokens by React Native SDK with Expo plugin - Vulnerability
- Padding Oracle Attack due to Observable Timing Discrepancy in jose-node-esm-runtime - CVE-2021-29445
- Padding Oracle Attack due to Observable Timing Discrepancy in jose-node-cjs-runtime - CVE-2021-29446
- Padding Oracle Attack due to Observable Timing Discrepancy in jose-browser-runtime - CVE-2021-29444
- Tags:
- npm
- express-basic-auth
Anything's wrong? Let us know Last updated on January 11, 2023