PT-2021-18227 · Unknown · Grassroot Platform

Published

2021-04-19

Updated

2021-04-28

CVE-2021-29455

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions: Grassroot Platform versions prior to 1.3.1

Description: The issue concerns the improper verification of the signature of JSON Web Tokens (JWT) when refreshing an existing JWT, allowing for the forgery of a valid JWT. This problem has been resolved by deprecating the JWT refresh function in the fixed version.

Recommendations: For versions prior to 1.3.1, update to version 1.3.1 or later, which deprecates the JWT refresh function to prevent the forgery of valid JWTs. As a temporary workaround, consider disabling the JWT refresh function until the update can be applied.

Fix

Improper Verification of Cryptographic Signature

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-347

Related Identifiers

CVE-2021-29455

GHSA-F65W-6XW8-6734

Affected Products

Grassroot Platform

PT-2021-18227 · Unknown · Grassroot Platform

CVE-2021-29455

Weakness Enumeration

Related Identifiers

Affected Products

References · 5