CRITICAL🇵🇱 Wersja polska

CVE-2024-25190

CVSS 9.8v3.1pub. 2024-02-08upd. 2024-11-21

l8w8jwt 2.2.1 uses memcmp (which is not constant time) to verify authentication, which makes it easier to bypass authentication via a timing side channel.

🤖 AI Analysis
How it works

The memcmp function stops comparing bytes upon encountering the first difference, so its execution time depends on the number of matching bytes. An attacker can measure server response times during successive authentication attempts to systematically guess subsequent bytes of the correct JWT token or signature. This type of statistical attack (timing side channel) enables effective verification mechanism bypass without knowledge of the cryptographic secret.

Impact

An attacker can bypass JWT-based authentication verification and gain unauthorized access to resources protected by the library, potentially leading to complete application takeover (breach of confidentiality, integrity, and availability).

Mitigation & patch

Patches available from the vendor should be applied according to the references. It is recommended to replace the memcmp function with a constant-time comparison implementation, e.g., using dedicated cryptographic functions resistant to timing attacks.

Who is affected

GlitchedPolygons l8w8jwt version 2.2.1

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Glitchedpolygons L8w8jwt

    APP
    Glitchedpolygons
    2.2.1
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Auth Bypass
CWE
References