Padding Oracle Attack due to Observable Timing Discrepancy in jose-browser-runtime
- Severity:
- Medium
Description
AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed JWEDecryptionFailed would be thrown.
Recommendation
Update the jose-browser-runtime package to the latest compatible version. Followings are version details:
- Affected version(s): < 3.11.4
- Patched version(s): 3.11.4
References
Related Issues
- Padding Oracle Attack due to Observable Timing Discrepancy in jose-node-cjs-runtime - CVE-2021-29446
- Padding Oracle Attack due to Observable Timing Discrepancy in jose-node-esm-runtime - CVE-2021-29445
- Padding Oracle Attack due to Observable Timing Discrepancy in jose - CVE-2021-29443
- angular vulnerable to super-linear runtime due to backtracking - CVE-2024-21490
- Tags:
- npm
- jose-browser-runtime
Anything's wrong? Let us know Last updated on March 26, 2023