CVE-2016-7037
The CVE concerns Malcolm Fell jwt (before 1.0.3). The verify function in Encryption/Symmetric.php does not use a timing-safe hash comparison, allowing an attacker to spoof signatures via timing attacks. Impact is signature forgery; remediation is upgrading to version 1.0.3 or later (as per refere...