Описание
httpsig-rs is a Rust implementation of IETF RFC 9421 http message signatures. Prior to version 0.0.19, the HMAC signature comparison is not timing-safe. This makes anyone who uses HS256 signature verification vulnerable to a timing attack that allows the attacker to forge a signature. Version 0.0.19 fixes the issue.
EPSS
Процентиль: 16%
0.00053
Низкий
5.9 Medium
CVSS3
Дефекты
CWE-208
Связанные уязвимости
CVSS3: 5.9
github
5 месяцев назад
httpsig-rs: HMAC verification is vulnerable to timing attack
EPSS
Процентиль: 16%
0.00053
Низкий
5.9 Medium
CVSS3
Дефекты
CWE-208