5.9

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-29443

GHSA ID

GHSA-58f5-hfqc-jgch

EPSS Score

0.54157%

CWE

CWE-203

Published

4/19/2021

Updated

2/1/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-29443

CVE-2021-29443: Padding Oracle Attack due to Observable Timing Discrepancy in jose

jose is an npm library providing a number of cryptographic operations.

Impact

AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed JWEDecryptionFailed would be thrown. But a possibly observable difference in timing when padding error would occur while decrypting the ciphertext makes a padding oracle and an adversary might be able to make use of that oracle to decrypt data without knowing the decryption key by issuing on average 128*b calls to the padding oracle (where b is the number of bytes in the ciphertext block).

Patches

All major release versions have had a patch released which ensures the HMAC tag is verified before performing CBC decryption. The fixed versions are ^1.28.1 || ^2.0.5 || >=3.11.4.

Users should upgrade their v1.x dependency to ^1.28.1, their v2.x dependency to ^2.0.5, and their v3.x dependency to ^3.11.4

Credits

Thanks to Morgan Brown of Microsoft for bringing this up and Eva Sarafianou (@esarafianou) for helping to score this advisory.

(GitHub Advisory)

5.9

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-29443

GHSA ID

GHSA-58f5-hfqc-jgch

EPSS Score

0.54157%

CWE

CWE-203

Published

4/19/2021

Updated

2/1/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
jose	npm	>= 1.0.0, < 1.28.1	1.28.1
jose	npm	>= 2.0.0, < 2.0.5	2.0.5
jose	npm	>= 3.0.0, < 3.11.4	3.11.4

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from performing CBC decryption (which involves padding validation) BEFORE HMAC verification. All three modified functions originally contained this insecure order:

The decrypt function in aes_cbc_hmac_sha2.js ran cipher.final() for CBC before checking macCheckPassed
Both browser/node cbcDecrypt implementations executed crypto.subtle.decrypt/createDecipheriv before MAC validation This sequence allowed attackers to observe timing differences from padding errors during CBC operations before MAC validation occurred. The patches moved MAC checks before any CBC decryption steps.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

jos* is *n npm li*r*ry provi*in* * num**r o* *rypto*r*p*i* op*r*tions. ### Imp**t [**S_***_*M**_S*** *l*orit*m](*ttps://tools.i*t*.or*/*tml/r******#s**tion-*.*) (*******-*S***, *******-*S***, *******-*S***) ***ryption woul* *lw*ys *x**ut* *ot* *M**

Reasoning

T** vuln*r**ility st*mm** *rom p*r*ormin* *** ***ryption (w*i** involv*s p***in* v*li**tion) ***OR* *M** v*ri*i**tion. *ll t*r** mo*i*i** *un*tions ori*in*lly *ont*in** t*is ins**ur* or**r: *. T** ***rypt *un*tion in **s_***_*m**_s***.js r*n *ip**r.*

5.9

Basic Information

Concerned about an active attack path?

CVE-2021-29443: Padding Oracle Attack due to Observable Timing Discrepancy in jose

Impact

Patches

Credits

5.9

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI