2 results (0.002 seconds)

CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0

jose-php before 2.2.1 does not use constant-time operations for HMAC comparison, which makes it easier for remote attackers to obtain sensitive information via a timing attack, related to JWE.php and JWS.php. jose-php en versiones anteriores a 2.2.1 no usa operaciones de tiempo constante para comparación HMAC, lo que hace más fácil a atacantes remotos obtener información sensible a través de un ataque de sincronización, relacionado con JWE.php y JWS.php. • http://www.securityfocus.com/bid/92743 https://github.com/nov/jose-php/commit/1cce55e27adf0274193eb1cd74b927a398a3df4b#diff-2a982d82ef0f673fd0ba2beba0e18420R138 https://github.com/nov/jose-php/commit/f03b986b4439e20b0fd635109b48afe96cf0099b#diff-37b0d289d6375ba4a7740401950ccdd6R287 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0

The RSA 1.5 algorithm implementation in the JOSE_JWE class in JWE.php in jose-php before 2.2.1 lacks the Random Filling protection mechanism, which makes it easier for remote attackers to obtain cleartext data via a Million Message Attack (MMA). La implementación del algoritmo RSA 1.5 en la clase JOSE_JWE en JWE.php en jose-php en versiones anteriores a 2.2.1 carece del mecanismo de protección Random Filling, lo que hace más fácil a atacantes remotos obtener datos en texto plano a través de un Million Message Attack (MMA). • http://www.securityfocus.com/bid/92741 https://github.com/nov/jose-php/commit/f03b986b4439e20b0fd635109b48afe96cf0099b#diff-37b0d289d6375ba4a7740401950ccdd6R199 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-310: Cryptographic Issues •