You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Snyk Description: ## Overview http-signature is a reference implementation of Joyent's HTTP Signature scheme.
Affected versions of the package are vulnerable to Timing Attacks due to time-variable comparison of signatures.
The library implemented a character to character comparison, similar to the built-in string comparison mechanism, ===, and not a time constant string comparison. As a result, the comparison will fail faster when the first characters in the signature are incorrect.
An attacker can use this difference to perform a timing attack, essentially allowing them to guess the signature one character at a time.
You can read more about timing attacks in Node.js on the Snyk blog.
Remediation
Upgrade http-signature to version 1.0.0 or higher.
Package Name: http-signature
Package Version: ['0.10.1']
Package Manager: npm
Target File: package.json
Severity Level: medium
Snyk ID: npm:http-signature:20150122
Snyk CVE: No CVE
Snyk CWE: CWE-310
Link to issue in Snyk: https://app.snyk.io/org/cse_rhicksiii91/project/14f822de-b806-4bd7-9ad2-767a7feebe1d
Snyk Description: ## Overview
http-signature
is a reference implementation of Joyent's HTTP Signature scheme.Affected versions of the package are vulnerable to Timing Attacks due to time-variable comparison of signatures.
The library implemented a character to character comparison, similar to the built-in string comparison mechanism,
===
, and not a time constant string comparison. As a result, the comparison will fail faster when the first characters in the signature are incorrect.An attacker can use this difference to perform a timing attack, essentially allowing them to guess the signature one character at a time.
You can read more about timing attacks in Node.js on the Snyk blog.
Remediation
Upgrade
http-signature
to version 1.0.0 or higher.References
The text was updated successfully, but these errors were encountered: