{ "schema_version": "1.4.0", "id": "GHSA-c35v-qwqg-87jc", "modified": "2022-08-03T16:27:53Z", "published": "2019-06-06T15:32:32Z", "aliases": [], "summary": "express-basic-auth Timing Attack due to native string comparison instead of constant time string comparison", "details": "Versions of `express-basic-auth` prior to 1.1.7 are vulnerable to Timing Attacks. The package uses native string comparison instead of a constant time string comparison, which may lead to Timing Attacks. Timing Attacks can be used to increase the efficiency of brute-force attacks by removing the exponential increase in entropy gained from longer secrets.\n\n\n## Recommendation\n\nUpgrade to version 1.1.7 or later.", "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" } ], "affected": [ { "package": { "ecosystem": "npm", "name": "express-basic-auth" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.1.7" } ] } ] } ], "references": [ { "type": "WEB", "url": "https://github.com/webpack-contrib/webpack-bundle-analyzer/issues/263" }, { "type": "WEB", "url": "https://github.com/LionC/express-basic-auth/pull/20" }, { "type": "WEB", "url": "https://github.com/LionC/express-basic-auth/pull/21" }, { "type": "WEB", "url": "https://github.com/LionC/express-basic-auth/commit/00bb29fdd638f5cda8025d4398be97d528ce3f6f" }, { "type": "PACKAGE", "url": "https://github.com/LionC/express-basic-auth" }, { "type": "WEB", "url": "https://snyk.io/vuln/SNYK-JS-EXPRESSBASICAUTH-174345" }, { "type": "WEB", "url": "https://www.npmjs.com/advisories/827" } ], "database_specific": { "cwe_ids": [ "CWE-208" ], "severity": "LOW", "github_reviewed": true, "github_reviewed_at": "2019-06-06T09:51:04Z", "nvd_published_at": null } }