CVE-2021-29444: 
JavaScript vulnerability analysis and mitigation

jose-browser-runtime is an npm package which provides cryptographic functions. A padding oracle vulnerability (CVE-2021-29444) was discovered in versions prior to 3.11.4, affecting the AESCBCHMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption process. The vulnerability was disclosed on April 15, 2021 (GitHub Advisory).

The vulnerability stems from an observable timing discrepancy during the decryption process. The implementation would execute both HMAC tag verification and CBC decryption, regardless of failure state, before throwing a JWEDecryptionFailed error. This timing difference during padding error occurrence creates a padding oracle that could be exploited (GitHub Advisory). The vulnerability has been assigned a CVSS v3.1 score of 5.9 (Moderate) with a vector of CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N.

An adversary could potentially exploit this padding oracle to decrypt data without possessing the decryption key. The attack would require on average 128*b calls to the padding oracle, where b represents the number of bytes in the ciphertext block. This could lead to unauthorized access to encrypted data, compromising confidentiality (GitHub Advisory).

The vulnerability has been patched in version 3.11.4 and later. The fix ensures that HMAC tag verification is performed before CBC decryption. Users are strongly advised to upgrade to version 3.11.4 or later to address this vulnerability (GitHub Advisory).

The vulnerability was discovered and reported by Morgan Brown of Microsoft, with Eva Sarafianou (@esarafianou) contributing to the advisory's scoring (GitHub Advisory).