PT-2019-20035 · Npm · Express-Basic-Auth
Published
2019-06-06
·
Updated
2019-06-06
CVSS v3.1
3.1
Low
| Vector | AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
express-basic-auth versions prior to 1.1.7
Description
The issue concerns the use of native string comparison instead of a constant time string comparison in the express-basic-auth package. This can lead to timing attacks, which may increase the efficiency of brute-force attacks by reducing the entropy gained from longer secrets.
Recommendations
Upgrade to version 1.1.7 or later.
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Express-Basic-Auth