Evanebb

Name of the Vulnerable Software and Affected Versions: Distribution versions 3.0.0-beta.1 through 3.0.0-rc.2 Description: The issue lies in how the JSON web key (JWK) verification is performed. When a JSON web token (JWT) contains a JWK header without a certificate chain, the code only checks if the KeyID (`kid`) matches one of the trusted keys, but doesn't verify that the actual key material matches. This allows an attacker to inject an untrusted signing key in a JWT. Recommendations: For versions 3.0.0-beta.1 through 3.0.0-rc.2, update to version 3.0.0-rc.3 or later, which includes the fix for the issue, available at commit 5ea9aa028db65ca5665f6af2c20ecf9dc34e5fcd. As a temporary workaround, consider disabling token authentication until a patch is available.