babelouest/rhonabwy

babelouest/rhonabwy

babelouest.github.io

Releases30

Frequency1 month 2 weeks

Last Release over 2 years ago

Stars47

[PROJECT CLOSED] - Javascript Object Signing and Encryption (JOSE) library - JWK, JWKS, JWS, JWE and JWT

Log in to subscribe

CVE History

CVE	Published	CVSS v3	CVSS v2
CVE-2024-25714 ↗	Feb 11, 2024Sunday, 11 February 2024, 03:15	9.8 CRITICAL	—
In Rhonabwy through 1.1.13, HMAC signature verification uses a strcmp function that is vulnerable to side-channel attacks, because it stops the comparison when the first difference is spotted in the two signatures. (The fix uses gnutls_memcmp, which has constant-time execution.)
CVE-2022-38493 ↗	Aug 20, 2022Saturday, 20 August 2022, 20:15	7.5 HIGH	—
Rhonabwy 0.9.99 through 1.1.x before 1.1.7 doesn't check the RSA private key length before RSA-OAEP decryption. This allows attackers to cause a Denial of Service via a crafted JWE (JSON Web Encryption) token.
CVE-2022-32096 ↗	Jul 13, 2022Wednesday, 13 July 2022, 16:15	7.5 HIGH	5 MEDIUM
Rhonabwy before v1.1.5 was discovered to contain a buffer overflow via the component r_jwe_aesgcm_key_unwrap. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted JWE token.