CVE-2018-0114

Name of the Vulnerable Software and Affected Versions: Cisco node-jose versions prior to 0.11.0

Description: A security issue exists due to the node-jose library following the JSON Web Signature (JWS) standard for JSON Web Tokens (JWTs), which allows a JSON Web Key (JWK) representing a public key to be embedded within the header of a JWS. This public key is then trusted for verification. An attacker could exploit this by forging valid JWS objects, removing the original signature, adding a new public key to the header, and then signing the object using the associated private key.

Recommendations: For versions prior to 0.11.0, update to version 0.11.0 or later to resolve the issue. As a temporary workaround, consider restricting the use of JSON Web Tokens (JWTs) that contain embedded public keys until a patch is applied. Avoid trusting public keys embedded in JWS headers to minimize the risk of exploitation.