CVE-2016-5429
low
CVSS v3
3.7
CVSS v2
4.3
VIR risk
3.7
Description
jose-php before 2.2.1 does not use constant-time operations for HMAC comparison, which makes it easier for remote attackers to obtain sensitive information via a timing attack, related to JWE.php and JWS.php.
Predictions
Exploit likelihood
47%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: secalert@redhat.com — https://github.com/nov/jose-php/commit/f03b986b4439e20b0fd635109b48afe96cf0099b#diff-37b0d289d6375ba4a7740401950ccdd6R287
Vendor advisory: secalert@redhat.com — https://github.com/nov/jose-php/commit/1cce55e27adf0274193eb1cd74b927a398a3df4b#diff-2a982d82ef0f673fd0ba2beba0e18420R138
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| jose-php_project | jose-php | {"endIncluding":"2.2.0"} | |
References
- http://www.securityfocus.com/bid/92743
- https://github.com/nov/jose-php/commit/1cce55e27adf0274193eb1cd74b927a398a3df4b#diff-2a982d82ef0f673fd0ba2beba0e18420R138
- https://github.com/nov/jose-php/commit/f03b986b4439e20b0fd635109b48afe96cf0099b#diff-37b0d289d6375ba4a7740401950ccdd6R287
- http://www.securityfocus.com/bid/92743
- https://github.com/nov/jose-php/commit/1cce55e27adf0274193eb1cd74b927a398a3df4b#diff-2a982d82ef0f673fd0ba2beba0e18420R138
- https://github.com/nov/jose-php/commit/f03b986b4439e20b0fd635109b48afe96cf0099b#diff-37b0d289d6375ba4a7740401950ccdd6R287
CWEs
CWE-200
Verify integrity in audit chain (admin only). AS-IS.