5 matches found
@dci-lint/cmd-api-server (>=0.3.0 <=0.4.0), @dci-lint/test-api-client (>=0.3.0 <=0.4.0) +29 more potentially affected by CVE-2021-29443 via jose (>=1.18.1 <=1.28.0)
jose NPM version =1.18.1, =0.3.0, =0.3.0, =0.3.0, =0.10.0-unstable.2b529f0, =2.0.0, =0.1.1-alpha.289, =0.4.0, =0.1.1-alpha.289, =0.5.0, =0.5.0, =0.5.0, =0.4.0, =0.1.1-alpha.289, =0.1.1-alpha.289, =0.1.1-alpha.289, =0.5.0-alpha.0 and more Source cves: CVE-2021-29443 Source advisory:...
@decentralized-identity/ion-sdk (>=0.1.0 <=0.4.1), @tadashi/jwt (=6.0.0) +19 more potentially affected by CVE-2021-29443 via jose (>=2.0.1 <=2.0.3)
jose NPM version =2.0.1, =0.1.0, =3.0.4, =3.0.4, =3.0.5, =3.0.4, =3.0.5, =3.0.4, =3.0.6, =3.0.3, =3.0.5, =3.1.0, =2.3.2, =0.1.0, =0.1.3 and more Source cves: CVE-2021-29443 Source advisory: OSV:GHSA-58F5-HFQC-JGCH...
CVE-2021-29443
jose is an npm library providing a number of cryptographic operations. In vulnerable versions AESCBCHMACSHA2 Algorithm A128CBC-HS256, A192CBC-HS384, A256CBC-HS512 decryption would always execute both HMAC tag verification and CBC decryption, if either failed JWEDecryptionFailed would be thrown. A...
CVE-2021-29443 Padding Oracle Attack due to Observable Timing Discrepancy in jose
jose is an npm library providing a number of cryptographic operations. In vulnerable versions AESCBCHMACSHA2 Algorithm A128CBC-HS256, A192CBC-HS384, A256CBC-HS512 decryption would always execute both HMAC tag verification and CBC decryption, if either failed JWEDecryptionFailed would be thrown. A...
CVE-2021-29443
CVE-2021-29443 affects the jose npm library. Vulnerable versions of the library perform HMAC tag verification after attempting CBC decryption, creating a possible padding oracle through observable timing differences during decryption of AES_CBC_HMAC_SHA2 (A128CBC-HS256, A192CBC-HS384, A256CBC-HS5...