PT-2018-9301 · Inversoft · Prime-Jwt

Dmako

Published

2018-03-13

Updated

2018-04-16

CVE-2018-1000125

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions: inversoft prime-jwt versions prior to 1.3.0

Description: The issue concerns an input validation vulnerability in the JWTDecoder.decode function. This vulnerability can be exploited by an attacker crafting a token with a valid header and body, which can then be requested for validation, potentially allowing a JWT to be decoded and implicitly validated even if it lacks a valid signature.

Recommendations: For inversoft prime-jwt versions prior to 1.3.0, update to version 1.3.0 or later to resolve the issue.

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20

Related Identifiers

CVE-2018-1000125

Affected Products

Prime-Jwt

PT-2018-9301 · Inversoft · Prime-Jwt

CVE-2018-1000125

Weakness Enumeration

Related Identifiers

Affected Products

References · 4