PT-2019-20029 — Improper Verification of Cryptographic Signature in None Jwt-Simple

PT-2019-20029 · None · Jwt-Simple

Published

2019-06-06

Updated

2019-06-06

None

No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.

Name of the Vulnerable Software and Affected Versions jwt-simple versions prior to 0.5.3

Description The issue allows an attacker to bypass signature verification. If no algorithm is specified in the decode() function, the package uses the algorithm in the JWT to decode tokens. This enables an attacker to create a token with a symmetric algorithm (HS256) using the server's public key as a secret, which the package will incorrectly verify as an asymmetric algorithm (RS256).

Recommendations Upgrade to version 0.5.3 or later.

Improper Verification of Cryptographic Signature

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-347

Related Identifiers

GHSA-8V5F-HP78-JGXQ

Affected Products

Jwt-Simple

PT-2019-20029 · None · Jwt-Simple

Weakness Enumeration

Related Identifiers

Affected Products

References · 3