PT-2019-11536 · Perl · Crypt::Jwt
Jeremy Choi
·
Published
2019-07-17
·
Updated
2020-08-24
·
CVE-2019-1010263
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions:
Perl Crypt::JWT versions prior to 0.023
Description:
The issue allows attackers to bypass authentication by providing a crafted token using the hmac() function. This is due to incorrect access control in the JWT.pm component, specifically at line 614. The attack vector is through network connectivity.
Recommendations:
For versions prior to 0.023, update to a version after commit b98a59b42ded9f9e51b2560410106207c2152d6c to resolve the issue. As a temporary workaround, consider restricting network connectivity to minimize the risk of exploitation.
Exploit
Fix
Improper Verification of Cryptographic Signature
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Crypt::Jwt