express-basic-auth Timing Attack due to native string comparison instead of constant time string comparison
- Severity:
- Low
Description
Versions of express-basic-auth prior to 1.1.7 are vulnerable to Timing Attacks. The package uses native string comparison instead of a constant time string comparison, which may lead to Timing Attacks.
Recommendation
Update the express-basic-auth package to the latest compatible version. Followings are version details:
- Affected version(s): < 1.1.7
- Patched version(s): 1.1.7
References
Related Issues
- Saltcorn Server allows logged-in users to delete arbitrary files because of a path traversal vulnerability - CVE-2024-47818
- Undici's fetch with integrity option is too lax when algorithm is specified but hash value is in incorrect - CVE-2024-30261
- Parse Server before v3.4.1 vulnerable to Denial of Service - CVE-2019-1020012
- Incorrect default cookie name and recommendation - Vulnerability
- Tags:
- npm
- express-basic-auth
Anything's wrong? Let us know Last updated on January 11, 2023