Padding Oracle Attack due to Observable Timing Discrepancy in jose

Description

jose is an npm library providing a number of cryptographic operations.

Recommendation

Update the jose package to the latest compatible version. Followings are version details:

• Affected version(s): **>= 3.0.0, < 3.11.4

  >= 2.0.0, < 2.0.5

  >= 1.0.0, < 1.28.1**

• Patched version(s): **3.11.4

  2.0.5

  1.28.1**

References

• GHSA-58f5-hfqc-jgch
• www.npmjs.com
• CVE-2021-29443
• CWE-203
• CWE-696
• CAPEC-310
• OWASP 2021-A6

Related Issues

• Padding Oracle Attack due to Observable Timing Discrepancy in jose-node-cjs-runtime - CVE-2021-29446
• Padding Oracle Attack due to Observable Timing Discrepancy in jose-node-esm-runtime - CVE-2021-29445
• Padding Oracle Attack due to Observable Timing Discrepancy in jose-browser-runtime - CVE-2021-29444
• Spoofing attack in swagger-ui-dist - CVE-2021-46708

Tags:

npm

jose