Timing Side Channel Vulnerability in php-jwt
CVE-2024-25191

9.8CRITICAL

Key Information:

Vendor: php-jwt
Status: PHP-jwt
Vendor: CVE Published:; 8 February 2024

Summary

The php-jwt 1.0.0 library features an authentication verification flaw that utilizes the strcmp function, which is not a constant-time comparison function. This implementation choice leads to timing discrepancies that can be exploited through side-channel attacks, allowing malicious actors to bypass authentication mechanisms with relative ease. Due to this vulnerability, it becomes significantly easier for attackers to gain unauthorized access, posing serious security risks to applications relying on this library.

References

https://github.com/P3ngu1nW/CVE_Request/blob/main/cdoco%3...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 8, 2024
Vulnerability Reserved
Feb 7, 2024