CVE-2016-10535
EUVD-2019-030331.05.2018, 20:29
csrf-lite is a cross-site request forgery protection library for framework-less node sites. csrf-lite uses `===`, a fail first string comparison, instead of a time constant string comparison This enables an attacker to guess the secret in no more than (16*18)288 guesses, instead of the 16^18 guesses required were the timing attack not present.Enginsight
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| csrf-lite_project | csrf-lite | 𝑥 ≤ 0.1.1 |
𝑥
= Vulnerable software versions
Common Weakness Enumeration
- CWE-208 - Observable Timing DiscrepancyTwo separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not.
- CWE-310 -