Timing Attack Vulnerability in JWT Library by Malcolm Fell
CVE-2016-7037

7.5HIGH

Key Information:

Status
Vendor
CVE Published:
23 January 2017

What is CVE-2016-7037?

A vulnerability exists in the verify function within the Encryption/Symmetric.php file of the JWT Library developed by Malcolm Fell. Versions prior to 1.0.3 do not utilize a timing-safe function for hash comparison. This oversight allows attackers to exploit the flaw through timing attacks, enabling them to spoof signatures and potentially compromise security. It's crucial for users to update to the latest version to mitigate this risk.

References

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.