PT-2023-31892 · Json-Jwt · Json-Jwt

P3Ngu1Nw

Publicado

2023-12-25

Atualizado

2025-05-08

CVE-2023-51774

CVSS v3.1

8.4

Alta

Vetor

AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions json-jwt versions 1.16.3 through 1.16.5 json-jwt versions 1.15.x through 1.15.3

Description The issue allows bypass of identity checks via a sign/encryption confusion attack. For example, JWE can sometimes be used to bypass JSON::JWT.decode.

Recommendations For json-jwt versions 1.16.3 through 1.16.5, update to version 1.16.6 or later. For json-jwt versions 1.15.x through 1.15.3, update to version 1.15.3.1 or later. As a temporary workaround, consider restricting the use of JWE to minimize the risk of exploitation.

Exploit

Correção

Improper Access Control

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-284

Identificadores relacionados

CVE-2023-51774

GHSA-C8V6-786G-VJX6

OPENSUSE-SU-2025:0004-1

Produtos afetados

Json-Jwt

PT-2023-31892 · Json-Jwt · Json-Jwt

CVE-2023-51774

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 23