Lucene search

K
veracodeVeracode Vulnerability DatabaseVERACODE:45570
HistoryFeb 21, 2024 - 7:07 p.m.

Timing Side Channel Attack

2024-02-2119:07:23
Veracode Vulnerability Database
sca.analysiscenter.veracode.com
3
nodejs
vulnerability
timing side channel attack
privatedecrypt()
crypto library
pkcs#1 v1.5 padding
error handling
decryption
remote exploitation
rsa
ciphertexts
forge signatures
json web encryption
api endpoints

6.5 Medium

AI Score

Confidence

Low

0 Low

EPSS

Percentile

0.0%

NodeJS is vulnerable to Timing Side Channel Attack. The vulnerability is caused due to a defect in privateDecrypt() API of the crypto library during PKCS#1 v1.5 padding error handling where there is a significant timing differences in decryption for valid and invalid ciphertexts. An attackers can remotely exploit this vulnerability to decrypt captured RSA ciphertexts or forge signatures, especially in scenarios involving API endpoints processing Json Web Encryption messages.