jose-node-cjs-runtime is vulnerable to padding oracle attack. The vulnerability exists as decryption did not fail as soon as hmac
verification fails, allowing timing information to be measured by running the CBC decryption with various padding length.
CPE | Name | Operator | Version |
---|---|---|---|
jose-node-cjs-runtime | le | 3.11.3 |