PT-2021-17644 · Ymfe · Ymfe Yapi

Jarlob

Published

2021-03-01

Updated

2021-03-26

CVE-2021-27884

CVSS v3.1

5.1

Medium

Vector

AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions: YMFE YApi versions 1.9.2 and earlier

Description: The issue arises from weak JSON Web Token (JWT) signing secret generation. This is due to the use of Math.random in Node.js, which does not provide cryptographically secure random numbers, allowing the recreation of other users' JWT tokens.

Recommendations: For versions 1.9.2 and earlier, update to version 1.9.3 to resolve the issue. As a temporary workaround, consider restricting access to sensitive operations that rely on JWT tokens until the update can be applied.

Fix

Use of Insufficiently Random Values

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-330

Related Identifiers

CVE-2021-27884

GHSA-2H3H-VW8R-82RP

Affected Products

Ymfe Yapi

PT-2021-17644 · Ymfe · Ymfe Yapi

CVE-2021-27884

Weakness Enumeration

Related Identifiers

Affected Products

References · 7