Lucene search
Veracode Vulnerability DatabaseVERACODE:36364HistoryJul 15, 2022 - 4:38 a.m.
Timing Attack
2022-07-1504:38:06
Veracode Vulnerability Database
sca.analysiscenter.veracode.com
20
0.001 Low
EPSS
Percentile
46.8%
@fastify/bearer-auth is vulnerable to timing attacks. The vulnerability exists because the timingSafeEqual functionality in the compare function of plugin.js does not securely perform a constant-time comparison against the length of the bearer token, allowing an attacker to guess the length of the legitimate bearer token.
| CPE | Name | Operator | Version |
|---|---|---|---|
| @fastify/bearer-auth | eq | 8.0.0 | |
| @fastify/bearer-auth | le | 7.0.1 | |
| @fastify/bearer-auth | eq | 8.0.0 | |
| @fastify/bearer-auth | le | 7.0.1 |
References
github.com/fastify/fastify-bearer-auth/commit/0c468a616d7e56126dc468150f6a5a92e530b8e4
github.com/fastify/fastify-bearer-auth/commit/39353b15409ee99474545f615ffb16180cf3b716
github.com/fastify/fastify-bearer-auth/commit/f921a0582dc83112039004a9b5041141b50c5b3f
github.com/fastify/fastify-bearer-auth/security/advisories/GHSA-376v-xgjx-7mfr
hackerone.com/reports/1633287
Related
cve
cve
CVE-2022-31142
2022-07-14 19:15:07
cvelist
cvelist
CVE-2022-31142 Potential Timing Attack Vector in @fastify/bearer-auth
2022-07-14 18:55:11
github
github
fastify-bearer-auth vulnerable to Timing Attack Vector
2022-07-15 19:14:27
osv
osv
fastify-bearer-auth vulnerable to Timing Attack Vector
2022-07-15 19:14:27
CVE-2022-31142
2022-07-14 19:15:07
prion
prion
Authorization
2022-07-14 19:15:00
nvd
nvd
CVE-2022-31142
2022-07-14 19:15:07