PT-2019-20035 · Npm · Express-Basic-Auth
Publicado
2019-06-06
·
Atualizado
2019-06-06
CVSS v3.1
3.1
Baixa
| Vetor | AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
express-basic-auth versions prior to 1.1.7
Description
The issue concerns the use of native string comparison instead of a constant time string comparison in the express-basic-auth package. This can lead to timing attacks, which may increase the efficiency of brute-force attacks by reducing the entropy gained from longer secrets.
Recommendations
Upgrade to version 1.1.7 or later.
Correção
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Express-Basic-Auth