Description
Node-cookie-signature before 1.0.6 is affected by a timing attack due to the type of comparison used.
Remediation
References
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=838618
https://travis-ci.com/nodejs/security-wg/builds/76423102
https://security-tracker.debian.org/tracker/CVE-2016-1000236
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-1000236
https://bugzilla.redhat.com/show_bug.cgi?id=1371409
https://www.mail-archive.com/secure-testing-team%40lists.alioth.debian.org/msg06583.html
Related Vulnerabilities
CVE-2022-43670 Vulnerability in maven package org.apache.sling:org.apache.sling.cms
CVE-2019-3888 Vulnerability in maven package io.undertow:undertow-core
CVE-2022-41404 Vulnerability in maven package org.ini4j:ini4j
CVE-2019-12415 Vulnerability in maven package org.apache.poi:poi-ooxml
CVE-2016-3092 Vulnerability in maven package org.apache.tomcat.embed:tomcat-embed-core