3.5 Low
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:S/C:P/I:N/A:N
4.4 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N
0.002 Low
EPSS
Percentile
62.1%
Affected versions of cookie-signature
are vulnerable to timing attacks as a result of using a fail-early comparison instead of a constant-time comparison.
Timing attacks remove the exponential increase in entropy gained from increased secret length, by providing per-character feedback on the correctness of a guess via miniscule timing differences.
Under favorable network conditions, an attacker can exploit this to guess the secret in no more than charset*length
guesses, instead of charset^length
guesses required were the timing attack not present.
Update to 1.0.4 or later.
CPE | Name | Operator | Version |
---|---|---|---|
cookie-signature | lt | 1.0.4 |
bugs.debian.org/cgi-bin/bugreport.cgi?bug=838618
bugzilla.redhat.com/show_bug.cgi?id=1371409
bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-1000236
github.com/advisories/GHSA-92vm-wfm5-mxvv
github.com/tj/node-cookie-signature/commit/2c4df6b6cee540f30876198cd0b5bebf28528c07
github.com/tj/node-cookie-signature/commit/39791081692e9e14aa62855369e1c7f80fbfd50e
github.com/tj/node-cookie-signature/commit/4cc5e21e7f59a4ea0b51cd5e9634772d48fab590
nvd.nist.gov/vuln/detail/CVE-2016-1000236
security-tracker.debian.org/tracker/CVE-2016-1000236
travis-ci.com/nodejs/security-wg/builds/76423102
www.mail-archive.com/[email protected]/msg06583.html
www.npmjs.com/advisories/134
3.5 Low
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:S/C:P/I:N/A:N
4.4 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N
0.002 Low
EPSS
Percentile
62.1%