CVE-2015-10004

Published: Dec 27, 2022Modified: Apr 11, 2025

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

Token validation methods are susceptible to a timing side-channel during HMAC comparison. With a large enough number of requests over a low latency connection, an attacker may use this to determine the expected HMAC.

Affected (1)

Products: Json Web Token Project: Json Web Token

Json Web Token Project

1 product

Json Web Token

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Json Web Token Project Json Web Token	All versions

Related CWEs

CWE-668

Exposure of Resource to Wrong Sphere

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

References (6)

https://github.com/robbert229/jwt/commit/ca1404ee6e83fcbafb66b09ed0d543850a15b654

Source: security@golang.org

PatchThird Party Advisory

https://github.com/robbert229/jwt/issues/12

Source: security@golang.org

Issue TrackingThird Party Advisory

https://pkg.go.dev/vuln/GO-2020-0023

Source: security@golang.org

PatchVendor Advisory

https://github.com/robbert229/jwt/commit/ca1404ee6e83fcbafb66b09ed0d543850a15b654

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://github.com/robbert229/jwt/issues/12

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingThird Party Advisory

https://pkg.go.dev/vuln/GO-2020-0023

Source: af854a3a-2127-422b-91ae-364da2661108

PatchVendor Advisory

Timeline

No history available yet.