CVE-2022-3102

Name of the Vulnerable Software and Affected Versions OSV (affected versions not specified)

Description The issue concerns the JWT code's ability to auto-detect token types, potentially leading to incorrect conclusions about token trustworthiness. Under certain circumstances, an attacker can substitute a signed JWS with a JWE encrypted with the public key used for signature validation. This substitution attack requires the validating application to have access to the private key used for signing tokens. The attack's significance depends on the token's use, potentially leading to authentication or authorization bypass, as the attacker can inject desired claim values. Several mitigating factors can protect applications, including the unavailability of the private key, specific JWK parameters, and token type checks before validation.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.