Timing Attack Vulnerability in Malcolm Fell JWT Library

Timing Attack Vulnerability in Malcolm Fell JWT Library

CVE-2016-7037 · MEDIUM Severity

AV:N/AC:L/AU:N/C:N/I:P/A:N

The verify function in Encryption/Symmetric.php in Malcolm Fell jwt before 1.0.3 does not use a timing-safe function for hash comparison, which allows attackers to spoof signatures via a timing attack.

Learn more about our Web Application Penetration Testing UK.