Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:npm/csrf-lite@0.1.2
Typenpm
Namespace
Namecsrf-lite
Version0.1.2
Qualifiers
Subpath
Is_vulnerablefalse
Next_non_vulnerable_version0.1.2
Latest_non_vulnerable_version0.1.2
Affected_by_vulnerabilities
Fixing_vulnerabilities
0
url VCID-5npf-xayn-6qfa
vulnerability_id VCID-5npf-xayn-6qfa
summary 
Non-Constant Time String Comparison
csrf-lite uses `===`, a fail first string comparison, instead of a time constant string comparison. This enables an attacker being able to calculate minuscule differences in CSRF tokens, essentially enabling them to guess the token one character at a time Each check increases the variable `tempCheck` by one. If a malicious user is able to see what `tempCheck` is at each run (how long it takes to do a check), then they can see when it increases. This increase indicates that the character they just put in for `csrfTokenCompare` is the correct one.
references
0
reference_url https://github.com/isaacs/csrf-lite/pull/1
reference_id
reference_type
scores
url https://github.com/isaacs/csrf-lite/pull/1
fixed_packages
0
url pkg:npm/csrf-lite@0.1.2
purl pkg:npm/csrf-lite@0.1.2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/csrf-lite@0.1.2
aliases GMS-2016-30
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-5npf-xayn-6qfa
1
url VCID-d1xq-9hrf-4qhs
vulnerability_id VCID-d1xq-9hrf-4qhs
summary 
Cross-Site Request Forgery (CSRF)
csrf-lite is a cross-site request forgery protection library for framework-less node sites. csrf-lite uses `===`, a fail first string comparison, instead of a time constant string comparison This enables an attacker to guess the secret in no more than (16*18)288 guesses, instead of the 16^18 guesses required were the timing attack not present.
references
0
reference_url https://github.com/isaacs/csrf-lite/pull/1
reference_id
reference_type
scores
url https://github.com/isaacs/csrf-lite/pull/1
1
reference_url https://nodesecurity.io/advisories/94
reference_id
reference_type
scores
url https://nodesecurity.io/advisories/94
2
reference_url https://www.npmjs.com/advisories/94
reference_id
reference_type
scores
url https://www.npmjs.com/advisories/94
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2016-10535
reference_id CVE-2016-10535
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2016-10535
4
reference_url https://github.com/advisories/GHSA-hjhr-r3gq-qvp6
reference_id GHSA-hjhr-r3gq-qvp6
reference_type
scores
url https://github.com/advisories/GHSA-hjhr-r3gq-qvp6
fixed_packages
0
url pkg:npm/csrf-lite@0.1.2
purl pkg:npm/csrf-lite@0.1.2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/csrf-lite@0.1.2
aliases CVE-2016-10535, GHSA-hjhr-r3gq-qvp6
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-d1xq-9hrf-4qhs
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:npm/csrf-lite@0.1.2