Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Padding Oracle Attack due to Observable Timing Discrepancy in jose-node-cjs-runtime
Vulnerability Description
jose-node-cjs-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDecryptionFailed` would be thrown. But a possibly observable difference in timing when padding error would occur while decrypting the ciphertext makes a padding oracle and an adversary might be able to make use of that oracle to decrypt data without knowing the decryption key by issuing on average 128*b calls to the padding oracle (where b is the number of bytes in the ciphertext block). A patch was released which ensures the HMAC tag is verified before performing CBC decryption. The fixed versions are `>=3.11.4`. Users should upgrade to `^3.11.4`.
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Vulnerability Type
通过差异性导致的信息暴露
Vulnerability Title
jose-node-cjs-runtime 安全漏洞
Vulnerability Description
npm jose-node-cjs-runtime是美国npm公司的一个应用软件。提供jose具有较小捆绑/安装尺寸的发行版。 jose-node-cjs-runtime 在3.11.4之前版本存在安全漏洞,该漏洞源于解密密文时出现填充错误的时间上可能存在一个明显的差异。
CVSS Information
N/A
Vulnerability Type
N/A