Vulnerability Description
Token validation methods are susceptible to a timing side-channel during HMAC comparison. With a large enough number of requests over a low latency connection, an attacker may use this to determine the expected HMAC.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Json Web Token Project | Json Web Token | - |
Related Weaknesses (CWE)
References
- https://github.com/robbert229/jwt/commit/ca1404ee6e83fcbafb66b09ed0d543850a15b65PatchThird Party Advisory
- https://github.com/robbert229/jwt/issues/12Issue TrackingThird Party Advisory
- https://pkg.go.dev/vuln/GO-2020-0023PatchVendor Advisory
- https://github.com/robbert229/jwt/commit/ca1404ee6e83fcbafb66b09ed0d543850a15b65PatchThird Party Advisory
- https://github.com/robbert229/jwt/issues/12Issue TrackingThird Party Advisory
- https://pkg.go.dev/vuln/GO-2020-0023PatchVendor Advisory
FAQ
What is CVE-2015-10004?
CVE-2015-10004 is a vulnerability with a CVSS score of 7.5 (HIGH). Token validation methods are susceptible to a timing side-channel during HMAC comparison. With a large enough number of requests over a low latency connection, an attacker may use this to determine th...
How severe is CVE-2015-10004?
CVE-2015-10004 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2015-10004?
Check the references section above for vendor advisories and patch information. Affected products include: Json Web Token Project Json Web Token.