| { |
| "package": "jwt", |
| "source": "NVD", |
| "count": 100, |
| "vulnerabilities": [ |
| { |
| "cve_id": "CVE-2022-39366", |
| "cvss_score": 9.9, |
| "severity": "CRITICAL", |
| "description": "DataHub is an open-source metadata platform. Prior to version 0.8.45, the `StatelessTokenService` of the DataHub metadata service (GMS) does not verify the signature of JWT tokens. This allows an attacker to connect to DataHub instances as any user if Metadata Service authentication is enabled. This vulnerability occurs because the `StatelessTokenService` of the Metadata service uses the `parse` method of `io.jsonwebtoken.JwtParser`, which does not perform a verification of the cryptographic tok", |
| "published": "2022-10-28T17:15:23.590", |
| "affected_versions": "< 0.8.45", |
| "cpe_vendors": [ |
| "datahub:datahub" |
| ] |
| }, |
| { |
| "cve_id": "CVE-2016-8218", |
| "cvss_score": 9.8, |
| "severity": "CRITICAL", |
| "description": "An issue was discovered in Cloud Foundry Foundation routing-release versions prior to 0.142.0 and cf-release versions 203 to 231. Incomplete validation logic in JSON Web Token (JWT) libraries can allow unprivileged attackers to impersonate other users to the routing API, aka an \"Unauthenticated JWT signing algorithm in routing\" issue.", |
| "published": "2017-06-13T06:29:00.237", |
| "affected_versions": "<= 203, 204, 205", |
| "cpe_vendors": [ |
| "cloudfoundry:cf-release", |
| "cloudfoundry:routing-release" |
| ] |
| }, |
| { |
| "cve_id": "CVE-2017-2773", |
| "cvss_score": 9.8, |
| "severity": "CRITICAL", |
| "description": "An issue was discovered in Pivotal PCF Elastic Runtime 1.6.x versions prior to 1.6.60, 1.7.x versions prior to 1.7.41, 1.8.x versions prior to 1.8.23, and 1.9.x versions prior to 1.9.1. Incomplete validation logic in JSON Web Token (JWT) libraries can allow unprivileged attackers to impersonate other users in multiple components included in PCF Elastic Runtime, aka an \"Unauthenticated JWT signing algorithm in multiple components\" issue.", |
| "published": "2017-06-13T06:29:00.300", |
| "affected_versions": "1.6.0, 1.6.1, 1.6.2", |
| "cpe_vendors": [ |
| "pivotal_software:cloud_foundry_elastic_runtime" |
| ] |
| }, |
| { |
| "cve_id": "CVE-2018-1000125", |
| "cvss_score": 9.8, |
| "severity": "CRITICAL", |
| "description": "inversoft prime-jwt version prior to version 1.3.0 or prior to commit 0d94dcef0133d699f21d217e922564adbb83a227 contains an input validation vulnerability in JWTDecoder.decode that can result in a JWT that is decoded and thus implicitly validated even if it lacks a valid signature. This attack appear to be exploitable via an attacker crafting a token with a valid header and body and then requests it to be validated. This vulnerability appears to have been fixed in 1.3.0 and later or after commit ", |
| "published": "2018-03-13T21:29:00.367", |
| "affected_versions": "< 1.3.0", |
| "cpe_vendors": [ |
| "inversoft:prime-jwt" |
| ] |
| }, |
| { |
| "cve_id": "CVE-2017-18239", |
| "cvss_score": 9.8, |
| "severity": "CRITICAL", |
| "description": "A time-sensitive equality check on the JWT signature in the JsonWebToken.validate method in main/scala/authentikat/jwt/JsonWebToken.scala in authentikat-jwt (aka com.jason-goodwin/authentikat-jwt) version 0.4.5 and earlier allows the supplier of a JWT token to guess bit after bit of the signature by repeating validation requests.", |
| "published": "2018-03-18T03:29:00.213", |
| "affected_versions": "<= 0.4.5", |
| "cpe_vendors": [ |
| "authentikat-jwt_project:authentikat-jwt" |
| ] |
| }, |
| { |
| "cve_id": "CVE-2018-6873", |
| "cvss_score": 9.8, |
| "severity": "CRITICAL", |
| "description": "The Auth0 authentication service before 2017-10-15 allows privilege escalation because the JWT audience is not validated.", |
| "published": "2018-04-04T17:29:01.647", |
| "affected_versions": "<= 8.10.1", |
| "cpe_vendors": [ |
| "auth0:auth0.js" |
| ] |
| }, |
| { |
| "cve_id": "CVE-2019-7644", |
| "cvss_score": 9.8, |
| "severity": "CRITICAL", |
| "description": "Auth0 Auth0-WCF-Service-JWT before 1.0.4 leaks the expected JWT signature in an error message when it cannot successfully validate the JWT signature. If this error message is presented to an attacker, they can forge an arbitrary JWT token that will be accepted by the vulnerable application.", |
| "published": "2019-04-11T20:29:00.760", |
| "affected_versions": "< 1.0.4", |
| "cpe_vendors": [ |
| "auth0:auth0-wcf-service-jwt" |
| ] |
| }, |
| { |
| "cve_id": "CVE-2019-1010263", |
| "cvss_score": 9.8, |
| "severity": "CRITICAL", |
| "description": "Perl Crypt::JWT prior to 0.023 is affected by: Incorrect Access Control. The impact is: allow attackers to bypass authentication by providing a token by crafting with hmac(). The component is: JWT.pm, line 614. The attack vector is: network connectivity. The fixed version is: after commit b98a59b42ded9f9e51b2560410106207c2152d6c.", |
| "published": "2019-07-17T21:15:10.780", |
| "affected_versions": "< 0.023", |
| "cpe_vendors": [ |
| "perl_crypt\\:\\" |
| ] |
| }, |
| { |
| "cve_id": "CVE-2019-1010161", |
| "cvss_score": 9.8, |
| "severity": "CRITICAL", |
| "description": "perl-CRYPT-JWT 0.022 and earlier is affected by: Incorrect Access Control. The impact is: bypass authentication. The component is: JWT.pm for JWT security token, line 614 in _decode_jws(). The attack vector is: network connectivity(crafting user-controlled input to bypass authentication). The fixed version is: 0.023.", |
| "published": "2019-07-25T14:15:11.453", |
| "affected_versions": "<= 0.022", |
| "cpe_vendors": [ |
| "perl-crypt-jwt_project:perl-crypt-jwt" |
| ] |
| }, |
| { |
| "cve_id": "CVE-2019-17195", |
| "cvss_score": 9.8, |
| "severity": "CRITICAL", |
| "description": "Connect2id Nimbus JOSE+JWT before v7.9 can throw various uncaught exceptions while parsing a JWT, which could result in an application crash (potential information disclosure) or a potential authentication bypass.", |
| "published": "2019-10-15T14:15:12.380", |
| "affected_versions": "< 7.9, 3.2.1, 1.7.0", |
| "cpe_vendors": [ |
| "connect2id:nimbus_jose\\+jwt", |
| "apache:hadoop", |
| "oracle:communications_cloud_native_core_security_edge_protection_proxy", |
| "oracle:communications_pricing_design_center", |
| "oracle:data_integrator", |
| "oracle:enterprise_manager_base_platform", |
| "oracle:healthcare_data_repository", |
| "oracle:insurance_policy_administration", |
| "oracle:jd_edwards_enterpriseone_orchestrator", |
| "oracle:jd_edwards_enterpriseone_tools" |
| ] |
| }, |
| { |
| "cve_id": "CVE-2019-12511", |
| "cvss_score": 9.8, |
| "severity": "CRITICAL", |
| "description": "In NETGEAR Nighthawk X10-R9000 prior to 1.0.4.26, an attacker may execute arbitrary system commands as root by sending a specially-crafted MAC address to the \"NETGEAR Genie\" SOAP endpoint at AdvancedQoS:GetCurrentBandwidthByMAC. Although this requires QoS being enabled, advanced QoS being enabled, and a valid authentication JWT, additional vulnerabilities (CVE-2019-12510) allow an attacker to interact with the entire SOAP API without authentication. Additionally, DNS rebinding techniques may be ", |
| "published": "2020-02-24T19:15:13.513", |
| "affected_versions": "< 1.0.4.26", |
| "cpe_vendors": [ |
| "netgear:nighthawk_x10-r9000_firmware" |
| ] |
| }, |
| { |
| "cve_id": "CVE-2020-26892", |
| "cvss_score": 9.8, |
| "severity": "CRITICAL", |
| "description": "The JWT library in NATS nats-server before 2.1.9 has Incorrect Access Control because of how expired credentials are handled.", |
| "published": "2020-11-06T08:15:13.610", |
| "affected_versions": "< 2.1.9, 33", |
| "cpe_vendors": [ |
| "linuxfoundation:nats-server", |
| "fedoraproject:fedora" |
| ] |
| }, |
| { |
| "cve_id": "CVE-2019-20933", |
| "cvss_score": 9.8, |
| "severity": "CRITICAL", |
| "description": "InfluxDB before 1.7.6 has an authentication bypass vulnerability in the authenticate function in services/httpd/handler.go because a JWT token may have an empty SharedSecret (aka shared secret).", |
| "published": "2020-11-19T02:15:11.913", |
| "affected_versions": "< 1.7.6, 9.0, 10.0", |
| "cpe_vendors": [ |
| "influxdata:influxdb", |
| "debian:debian_linux" |
| ] |
| }, |
| { |
| "cve_id": "CVE-2021-3199", |
| "cvss_score": 9.8, |
| "severity": "CRITICAL", |
| "description": "Directory traversal with remote code execution can occur in /upload in ONLYOFFICE Document Server before 5.6.3, when JWT is used, via a /.. sequence in an image upload parameter.", |
| "published": "2021-01-26T18:16:28.507", |
| "affected_versions": "< 5.6.3", |
| "cpe_vendors": [ |
| "onlyoffice:document_server" |
| ] |
| }, |
| { |
| "cve_id": "CVE-2021-40494", |
| "cvss_score": 9.8, |
| "severity": "CRITICAL", |
| "description": "A Hardcoded JWT Secret Key in metadata.py in AdaptiveScale LXDUI through 2.1.3 allows attackers to gain admin access to the host system.", |
| "published": "2021-09-03T02:15:06.467", |
| "affected_versions": "<= 2.1.3", |
| "cpe_vendors": [ |
| "adaptivescale:lxdui" |
| ] |
| }, |
| { |
| "cve_id": "CVE-2021-37580", |
| "cvss_score": 9.8, |
| "severity": "CRITICAL", |
| "description": "A flaw was found in Apache ShenYu Admin. The incorrect use of JWT in ShenyuAdminBootstrap allows an attacker to bypass authentication. This issue affected Apache ShenYu 2.3.0 and 2.4.0", |
| "published": "2021-11-16T10:15:07.220", |
| "affected_versions": "2.3.0, 2.4.0", |
| "cpe_vendors": [ |
| "apache:shenyu" |
| ] |
| }, |
| { |
| "cve_id": "CVE-2021-45389", |
| "cvss_score": 9.8, |
| "severity": "CRITICAL", |
| "description": "A flaw was found with the JWT token. A self-signed JWT token could be injected into the update manager and bypass the authentication process, thus could escalate privileges. This affects StarWind SAN and NAS build 1578 and StarWind Command Center build 6864.", |
| "published": "2022-01-04T16:15:09.727", |
| "affected_versions": "6864, 1578", |
| "cpe_vendors": [ |
| "starwind:command_center", |
| "starwind:san\\&nas" |
| ] |
| }, |
| { |
| "cve_id": "CVE-2022-22845", |
| "cvss_score": 9.8, |
| "severity": "CRITICAL", |
| "description": "QXIP SIPCAPTURE homer-app before 1.4.28 for HOMER 7.x has the same 167f0db2-f83e-4baa-9736-d56064a5b415 JWT secret key across different customers' installations.", |
| "published": "2022-01-10T14:12:58.567", |
| "affected_versions": "< 1.4.28", |
| "cpe_vendors": [ |
| "qxip:homer_webapp" |
| ] |
| }, |
| { |
| "cve_id": "CVE-2022-35540", |
| "cvss_score": 9.8, |
| "severity": "CRITICAL", |
| "description": "Hardcoded JWT Secret in AgileConfig <1.6.8 Server allows remote attackers to use the generated JWT token to gain administrator access.", |
| "published": "2022-08-18T23:15:08.293", |
| "affected_versions": "< 1.6.8", |
| "cpe_vendors": [ |
| "dotnetcore:agileconfig" |
| ] |
| }, |
| { |
| "cve_id": "CVE-2022-36672", |
| "cvss_score": 9.8, |
| "severity": "CRITICAL", |
| "description": "Novel-Plus v3.6.2 was discovered to contain a hard-coded JWT key located in the project config file. This vulnerability allows attackers to create a custom user session.", |
| "published": "2022-09-01T03:15:16.343", |
| "affected_versions": "3.6.2", |
| "cpe_vendors": [ |
| "xxyopen:novel-plus" |
| ] |
| }, |
| { |
| "cve_id": "CVE-2022-42980", |
| "cvss_score": 9.8, |
| "severity": "CRITICAL", |
| "description": "go-admin (aka GO Admin) 2.0.12 uses the string go-admin as a production JWT key.", |
| "published": "2022-10-17T07:15:08.863", |
| "affected_versions": "2.0.12", |
| "cpe_vendors": [ |
| "go-admin:go-admin" |
| ] |
| }, |
| { |
| "cve_id": "CVE-2022-44796", |
| "cvss_score": 9.8, |
| "severity": "CRITICAL", |
| "description": "An issue was discovered in Object First Ootbi BETA build 1.0.7.712. The authorization service has a flow that allows getting access to the Web UI without knowing credentials. For signing, the JWT token uses a secret key that is generated through a function that doesn't produce cryptographically strong sequences. An attacker can predict these sequences and generate a JWT token. As a result, an attacker can get access to the Web UI. This is fixed in Object First Ootbi BETA build 1.0.13.1611.", |
| "published": "2022-11-07T04:15:09.600", |
| "affected_versions": "< 1.0.13.1611", |
| "cpe_vendors": [ |
| "objectfirst:ootbi" |
| ] |
| }, |
| { |
| "cve_id": "CVE-2021-29451", |
| "cvss_score": 9.1, |
| "severity": "CRITICAL", |
| "description": "Portofino is an open source web development framework. Portofino before version 5.2.1 did not properly verify the signature of JSON Web Tokens. This allows forging a valid JWT. The issue will be patched in the upcoming 5.2.1 release.", |
| "published": "2021-04-16T22:15:14.233", |
| "affected_versions": "< 5.2.1", |
| "cpe_vendors": [ |
| "manydesigns:portofino" |
| ] |
| }, |
| { |
| "cve_id": "CVE-2022-39227", |
| "cvss_score": 9.1, |
| "severity": "CRITICAL", |
| "description": "python-jwt is a module for generating and verifying JSON Web Tokens. Versions prior to 3.3.4 are subject to Authentication Bypass by Spoofing, resulting in identity spoofing, session hijacking or authentication bypass. An attacker who obtains a JWT can arbitrarily forge its contents without knowing the secret key. Depending on the application, this may for example enable the attacker to spoof other user's identities, hijack their sessions, or bypass authentication. Users should upgrade to versio", |
| "published": "2022-09-23T07:15:09.300", |
| "affected_versions": "< 3.3.4", |
| "cpe_vendors": [ |
| "python-jwt_project:python-jwt" |
| ] |
| }, |
| { |
| "cve_id": "CVE-2019-13423", |
| "cvss_score": 8.8, |
| "severity": "HIGH", |
| "description": "Search Guard Kibana Plugin versions before 5.6.8-7 and before 6.x.y-12 had an issue that an authenticated Kibana user could impersonate as kibanaserver user when providing wrong credentials when all of the following conditions a-c are true: a) Kibana is configured to use Single-Sign-On as authentication method, one of Kerberos, JWT, Proxy, Client certificate. b) The kibanaserver user is configured to use HTTP Basic as the authentication method. c) Search Guard is configured to use an SSO authent", |
| "published": "2019-08-23T14:15:11.607", |
| "affected_versions": "< 5.6.8-7, < 6.2.3-12", |
| "cpe_vendors": [ |
| "search-guard:search_guard" |
| ] |
| }, |
| { |
| "cve_id": "CVE-2021-26077", |
| "cvss_score": 8.8, |
| "severity": "HIGH", |
| "description": "Broken Authentication in Atlassian Connect Spring Boot (ACSB) in version 1.1.0 before 2.1.3 and from version 2.1.4 before 2.1.5: Atlassian Connect Spring Boot is a Java Spring Boot package for building Atlassian Connect apps. Authentication between Atlassian products and the Atlassian Connect Spring Boot app occurs with a server-to-server JWT or a context JWT. Atlassian Connect Spring Boot versions 1.1.0 before 2.1.3 and versions 2.1.4 before 2.1.5 erroneously accept context JWTs in lifecycle en", |
| "published": "2021-05-10T00:15:07.543", |
| "affected_versions": "< 2.1.3, < 2.1.5", |
| "cpe_vendors": [ |
| "atlassian:connect_spring_boot" |
| ] |
| }, |
| { |
| "cve_id": "CVE-2021-24804", |
| "cvss_score": 8.8, |
| "severity": "HIGH", |
| "description": "The Simple JWT Login WordPress plugin before 3.2.1 does not have nonce checks when saving its settings, allowing attackers to make a logged in admin changed them. Settings such as HMAC verification secret, account registering and default user roles can be updated, which could result in site takeover.", |
| "published": "2021-11-17T11:15:07.990", |
| "affected_versions": "< 3.2.1", |
| "cpe_vendors": [ |
| "simple_jwt_login_project:simple_jwt_login" |
| ] |
| }, |
| { |
| "cve_id": "CVE-2022-42983", |
| "cvss_score": 8.8, |
| "severity": "HIGH", |
| "description": "anji-plus AJ-Report 0.9.8.6 allows remote attackers to bypass login authentication by spoofing JWT Tokens.", |
| "published": "2022-10-17T07:15:08.973", |
| "affected_versions": "0.9.8.6", |
| "cpe_vendors": [ |
| "anji-plus:aj-report" |
| ] |
| }, |
| { |
| "cve_id": "CVE-2020-1764", |
| "cvss_score": 8.6, |
| "severity": "HIGH", |
| "description": "A hard-coded cryptographic key vulnerability in the default configuration file was found in Kiali, all versions prior to 1.15.1. A remote attacker could abuse this flaw by creating their own JWT signed tokens and bypass Kiali authentication mechanisms, possibly gaining privileges to view and alter the Istio configuration.", |
| "published": "2020-03-26T13:15:13.203", |
| "affected_versions": "< 1.15.1, 1.0", |
| "cpe_vendors": [ |
| "kiali:kiali", |
| "redhat:openshift_service_mesh" |
| ] |
| }, |
| { |
| "cve_id": "CVE-2021-22190", |
| "cvss_score": 8.5, |
| "severity": "HIGH", |
| "description": "A path traversal vulnerability via the GitLab Workhorse in all versions of GitLab could result in the leakage of a JWT token", |
| "published": "2021-04-12T15:15:14.517", |
| "affected_versions": "< 13.7.8, < 13.7.8, < 13.8.5", |
| "cpe_vendors": [ |
| "gitlab:gitlab" |
| ] |
| }, |
| { |
| "cve_id": "CVE-2021-32753", |
| "cvss_score": 8.3, |
| "severity": "HIGH", |
| "description": "EdgeX Foundry is an open source project for building a common open framework for internet-of-things edge computing. A vulnerability exists in the Edinburgh, Fuji, Geneva, and Hanoi versions of the software. When the EdgeX API gateway is configured for OAuth2 authentication and a proxy user is created, the client_id and client_secret required to obtain an OAuth2 authentication token are set to the username of the proxy user. A remote network attacker can then perform a dictionary-based password a", |
| "published": "2021-07-09T19:15:08.373", |
| "affected_versions": "< 2.0.0", |
| "cpe_vendors": [ |
| "edgexfoundry:edgex_foundry" |
| ] |
| }, |
| { |
| "cve_id": "CVE-2020-7787", |
| "cvss_score": 8.2, |
| "severity": "HIGH", |
| "description": "This affects all versions of package react-adal. It is possible for a specially crafted JWT token and request URL can cause the nonce, session and refresh values to be incorrectly validated, causing the application to treat an attacker-generated JWT token as authentic. The logical defect is caused by how the nonce, session and refresh values are stored in the browser local storage or session storage. Each key is automatically appended by ||. When the received nonce and session keys are generated", |
| "published": "2020-12-09T17:15:32.027", |
| "affected_versions": "", |
| "cpe_vendors": [ |
| "react-adal_project:react-adal" |
| ] |
| }, |
| { |
| "cve_id": "CVE-2021-21378", |
| "cvss_score": 8.2, |
| "severity": "HIGH", |
| "description": "Envoy is a cloud-native high-performance edge/middle/service proxy. In Envoy version 1.17.0 an attacker can bypass authentication by presenting a JWT token with an issuer that is not in the provider list when Envoy's JWT Authentication filter is configured with the `allow_missing` requirement under `requires_any` due to a mistake in implementation. Envoy's JWT Authentication filter can be configured with the `allow_missing` requirement that will be satisfied if JWT is missing (JwtMissed error) a", |
| "published": "2021-03-11T03:15:12.163", |
| "affected_versions": "1.17.0", |
| "cpe_vendors": [ |
| "envoyproxy:envoy" |
| ] |
| }, |
| { |
| "cve_id": "CVE-2022-36089", |
| "cvss_score": 8.2, |
| "severity": "HIGH", |
| "description": "KubeVela is an application delivery platform Users using KubeVela's VelaUX APIServer could be affected by an authentication bypass vulnerability. In KubeVela prior to versions 1.4.11 and 1.5.4, VelaUX APIServer uses the `PlatformID` as the signed key to generate the JWT tokens for users. Another API called `getSystemInfo` exposes the platformID. This vulnerability allows users to use the platformID to re-generate the JWT tokens to bypass the authentication. Versions 1.4.11 and 1.5.4 contain a pa", |
| "published": "2022-09-07T23:15:14.240", |
| "affected_versions": "< 1.4.11, < 1.5.3", |
| "cpe_vendors": [ |
| "kubevela:kubevela" |
| ] |
| }, |
| { |
| "cve_id": "CVE-2018-1000025", |
| "cvss_score": 8.1, |
| "severity": "HIGH", |
| "description": "Jerome Gamez Firebase Admin SDK for PHP version from 3.2.0 to 3.8.0 contains a Incorrect Access Control vulnerability in src/Firebase/Auth/IdTokenVerifier.php does not verify for token signature that can result in JWT with any email address and user ID could be forged from an actual token, or from thin air. This attack appear to be exploitable via Attacker would only need to know email address of the victim on most cases.. This vulnerability appears to have been fixed in 3.8.1.", |
| "published": "2018-02-09T23:29:00.777", |
| "affected_versions": "<= 3.8.0", |
| "cpe_vendors": [ |
| "firebase_admin_sdk_for_php_project:firebase_admin_sdk_for_php" |
| ] |
| }, |
| { |
| "cve_id": "CVE-2021-29492", |
| "cvss_score": 8.1, |
| "severity": "HIGH", |
| "description": "Envoy is a cloud-native edge/middle/service proxy. Envoy does not decode escaped slash sequences `%2F` and `%5C` in HTTP URL paths in versions 1.18.2 and before. A remote attacker may craft a path with escaped slashes, e.g. `/something%2F..%2Fadmin`, to bypass access control, e.g. a block on `/admin`. A backend server could then decode slash sequences and normalize path and provide an attacker access beyond the scope provided for by the access control policy. ### Impact Escalation of Privileges ", |
| "published": "2021-05-28T21:15:08.670", |
| "affected_versions": "< 1.15.5, < 1.16.4, < 1.17.3", |
| "cpe_vendors": [ |
| "envoyproxy:envoy" |
| ] |
| }, |
| { |
| "cve_id": "CVE-2022-24844", |
| "cvss_score": 8.1, |
| "severity": "HIGH", |
| "description": "Gin-vue-admin is a backstage management system based on vue and gin, which separates the front and rear of the full stack. The problem occurs in the following code in server/service/system/sys_auto_code_pgsql.go, which means that PostgreSQL must be used as the database for this vulnerability to occur. Users must: Require JWT login) and be using PostgreSQL to be affected. This issue has been resolved in version 2.5.1. There are no known workarounds.", |
| "published": "2022-04-13T21:15:07.887", |
| "affected_versions": "< 2.5.1", |
| "cpe_vendors": [ |
| "gin-vue-admin_project:gin-vue-admin" |
| ] |
| }, |
| { |
| "cve_id": "CVE-2022-29060", |
| "cvss_score": 8.1, |
| "severity": "HIGH", |
| "description": "A use of hard-coded cryptographic key vulnerability [CWE-321] in FortiDDoS API 5.5.0 through 5.5.1, 5.4.0 through 5.4.2, 5.3.0 through 5.3.1, 5.2.0, 5.1.0 may allow an attacker who managed to retrieve the key from one device to sign JWT tokens for any device.", |
| "published": "2022-07-19T14:15:08.603", |
| "affected_versions": "5.1.0, 5.2.0, 5.3.0", |
| "cpe_vendors": [ |
| "fortinet:fortiddos" |
| ] |
| }, |
| { |
| "cve_id": "CVE-2021-26073", |
| "cvss_score": 7.7, |
| "severity": "HIGH", |
| "description": "Broken Authentication in Atlassian Connect Express (ACE) from version 3.0.2 before version 6.6.0: Atlassian Connect Express is a Node.js package for building Atlassian Connect apps. Authentication between Atlassian products and the Atlassian Connect Express app occurs with a server-to-server JWT or a context JWT. Atlassian Connect Express versions from 3.0.2 before 6.6.0 erroneously accept context JWTs in lifecycle endpoints (such as installation) where only server-to-server JWTs should be accep", |
| "published": "2021-04-16T03:15:12.033", |
| "affected_versions": "< 6.6.0", |
| "cpe_vendors": [ |
| "atlassian:connect_express" |
| ] |
| }, |
| { |
| "cve_id": "CVE-2022-25898", |
| "cvss_score": 7.7, |
| "severity": "HIGH", |
| "description": "The package jsrsasign before 10.5.25 are vulnerable to Improper Verification of Cryptographic Signature when JWS or JWT signature with non Base64URL encoding special characters or number escaped characters may be validated as valid by mistake. Workaround: Validate JWS or JWT signature if it has Base64URL and dot safe string before executing JWS.verify() or JWS.verifyJWT() method.", |
| "published": "2022-07-01T20:15:08.023", |
| "affected_versions": "< 10.5.25", |
| "cpe_vendors": [ |
| "jsrsasign_project:jsrsasign" |
| ] |
| }, |
| { |
| "cve_id": "CVE-2016-7037", |
| "cvss_score": 7.5, |
| "severity": "HIGH", |
| "description": "The verify function in Encryption/Symmetric.php in Malcolm Fell jwt before 1.0.3 does not use a timing-safe function for hash comparison, which allows attackers to spoof signatures via a timing attack.", |
| "published": "2017-01-23T21:59:02.487", |
| "affected_versions": "<= 1.0.2", |
| "cpe_vendors": [ |
| "emarref:jwt" |
| ] |
| }, |
| { |
| "cve_id": "CVE-2017-11424", |
| "cvss_score": 7.5, |
| "severity": "HIGH", |
| "description": "In PyJWT 1.5.0 and below the `invalid_strings` check in `HMACAlgorithm.prepare_key` does not account for all PEM encoded public keys. Specifically, the PKCS1 PEM encoded format would be allowed because it is prefaced with the string `-----BEGIN RSA PUBLIC KEY-----` which is not accounted for. This enables symmetric/asymmetric key confusion attacks against users using the PKCS1 PEM encoded public keys, which would allow an attacker to craft JWTs from scratch.", |
| "published": "2017-08-24T16:29:00.197", |
| "affected_versions": "<= 1.5.0, 8.0, 9.0", |
| "cpe_vendors": [ |
| "pyjwt_project:pyjwt", |
| "debian:debian_linux" |
| ] |
| }, |
| { |
| "cve_id": "CVE-2018-1000531", |
| "cvss_score": 7.5, |
| "severity": "HIGH", |
| "description": "inversoft prime-jwt version prior to commit abb0d479389a2509f939452a6767dc424bb5e6ba contains a CWE-20 vulnerability in JWTDecoder.decode that can result in an incorrect signature validation of a JWT token. This attack can be exploitable when an attacker crafts a JWT token with a valid header using 'none' as algorithm and a body to requests it be validated. This vulnerability was fixed after commit abb0d479389a2509f939452a6767dc424bb5e6ba.", |
| "published": "2018-06-26T16:29:01.807", |
| "affected_versions": "<= 1.3.0", |
| "cpe_vendors": [ |
| "inversoft:prime-jwt" |
| ] |
| }, |
| { |
| "cve_id": "CVE-2019-12995", |
| "cvss_score": 7.5, |
| "severity": "HIGH", |
| "description": "Istio before 1.2.2 mishandles certain access tokens, leading to \"Epoch 0 terminated with an error\" in Envoy. This is related to a jwt_authenticator.cc segmentation fault.", |
| "published": "2019-06-28T10:15:11.487", |
| "affected_versions": "< 1.2.2", |
| "cpe_vendors": [ |
| "istio:istio" |
| ] |
| }, |
| { |
| "cve_id": "CVE-2019-1020015", |
| "cvss_score": 7.5, |
| "severity": "HIGH", |
| "description": "graphql-engine (aka Hasura GraphQL Engine) before 1.0.0-beta.3 mishandles the audience check while verifying JWT.", |
| "published": "2019-07-29T13:15:12.090", |
| "affected_versions": "< 1.0.0, 1.0.0, 1.0.0", |
| "cpe_vendors": [ |
| "hasura:graphql_engine" |
| ] |
| }, |
| { |
| "cve_id": "CVE-2019-14993", |
| "cvss_score": 7.5, |
| "severity": "HIGH", |
| "description": "Istio before 1.1.13 and 1.2.x before 1.2.4 mishandles regular expressions for long URIs, leading to a denial of service during use of the JWT, VirtualService, HTTPAPISpecBinding, or QuotaSpecBinding API.", |
| "published": "2019-08-13T18:15:13.117", |
| "affected_versions": "< 1.1.13, < 1.2.4", |
| "cpe_vendors": [ |
| "istio:istio" |
| ] |
| }, |
| { |
| "cve_id": "CVE-2019-19324", |
| "cvss_score": 7.5, |
| "severity": "HIGH", |
| "description": "Xmidt cjwt through 1.0.1 before 2019-11-25 maps unsupported algorithms to alg=none, which sometimes leads to untrusted accidental JWT acceptance.", |
| "published": "2020-03-20T18:15:13.857", |
| "affected_versions": "< 2019-11-25", |
| "cpe_vendors": [ |
| "xmidt:cjwt" |
| ] |
| }, |
| { |
| "cve_id": "CVE-2020-15957", |
| "cvss_score": 7.5, |
| "severity": "HIGH", |
| "description": "An issue was discovered in DP3T-Backend-SDK before 1.1.1 for Decentralised Privacy-Preserving Proximity Tracing (DP3T). When it is configured to check JWT before uploading/publishing keys, it is possible to skip the signature check by providing a JWT token with alg=none.", |
| "published": "2020-07-30T14:15:12.260", |
| "affected_versions": "< 1.1.1", |
| "cpe_vendors": [ |
| "dp3t-backend-software_development_kit_project:dp3t-backend-software_development_kit" |
| ] |
| }, |
| { |
| "cve_id": "CVE-2020-26160", |
| "cvss_score": 7.5, |
| "severity": "HIGH", |
| "description": "jwt-go before 4.0.0-preview1 allows attackers to bypass intended access restrictions in situations with []string{} for m[\"aud\"] (which is allowed by the specification). Because the type assertion fails, \"\" is the value of aud. This is a security problem if the JWT token is presented to a service that lacks its own audience check.", |
| "published": "2020-09-30T18:15:27.397", |
| "affected_versions": "<= 3.2.0", |
| "cpe_vendors": [ |
| "jwt-go_project:jwt-go" |
| ] |
| }, |
| { |
| "cve_id": "CVE-2020-26511", |
| "cvss_score": 7.5, |
| "severity": "HIGH", |
| "description": "The wpo365-login plugin before v11.7 for WordPress allows use of a symmetric algorithm to decrypt a JWT token. This leads to authentication bypass.", |
| "published": "2020-10-02T05:15:12.457", |
| "affected_versions": "< 11.7", |
| "cpe_vendors": [ |
| "wpo365:wordpress_\\+_azure_ad_\\/_microsoft_office_365" |
| ] |
| }, |
| { |
| "cve_id": "CVE-2020-26521", |
| "cvss_score": 7.5, |
| "severity": "HIGH", |
| "description": "The JWT library in NATS nats-server before 2.1.9 allows a denial of service (a nil dereference in Go code).", |
| "published": "2020-11-06T08:15:13.563", |
| "affected_versions": "< 2.1.9, 33", |
| "cpe_vendors": [ |
| "linuxfoundation:nats-server", |
| "fedoraproject:fedora" |
| ] |
| }, |
| { |
| "cve_id": "CVE-2021-3127", |
| "cvss_score": 7.5, |
| "severity": "HIGH", |
| "description": "NATS Server 2.x before 2.2.0 and JWT library before 2.0.1 have Incorrect Access Control because Import Token bindings are mishandled.", |
| "published": "2021-03-16T20:15:13.300", |
| "affected_versions": "< 2.2.0, < 2.0.1", |
| "cpe_vendors": [ |
| "linuxfoundation:nats-server", |
| "nats:jwt_library" |
| ] |
| }, |
| { |
| "cve_id": "CVE-2021-27306", |
| "cvss_score": 7.5, |
| "severity": "HIGH", |
| "description": "An improper access control vulnerability in the JWT plugin in Kong Gateway prior to 2.3.2.0 allows unauthenticated users access to authenticated routes without a valid token JWT.", |
| "published": "2021-03-18T15:15:16.230", |
| "affected_versions": "< 2.3.2.0", |
| "cpe_vendors": [ |
| "konghq:kong_gateway" |
| ] |
| }, |
| { |
| "cve_id": "CVE-2021-22696", |
| "cvss_score": 7.5, |
| "severity": "HIGH", |
| "description": "CXF supports (via JwtRequestCodeFilter) passing OAuth 2 parameters via a JWT token as opposed to query parameters (see: The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request (JAR)). Instead of sending a JWT token as a \"request\" parameter, the spec also supports specifying a URI from which to retrieve a JWT token from via the \"request_uri\" parameter. CXF was not validating the \"request_uri\" parameter (apart from ensuring it uses \"https) and was making a REST request to the para", |
| "published": "2021-04-02T10:15:12.200", |
| "affected_versions": "< 3.3.10, < 3.4.3, 5.5.0.0.0", |
| "cpe_vendors": [ |
| "apache:cxf", |
| "oracle:business_intelligence", |
| "oracle:communications_diameter_intelligence_hub", |
| "oracle:communications_element_manager", |
| "oracle:communications_session_report_manager", |
| "oracle:communications_session_route_manager" |
| ] |
| }, |
| { |
| "cve_id": "CVE-2021-29455", |
| "cvss_score": 7.5, |
| "severity": "HIGH", |
| "description": "Grassroot Platform is an application to make it faster, cheaper and easier to persistently organize and mobilize people in low-income communities. Grassroot Platform before master deployment as of 2021-04-16 did not properly verify the signature of JSON Web Tokens when refreshing an existing JWT. This allows to forge a valid JWT. The problem has been patched in version 1.3.1 by deprecating the JWT refresh function, which was an overdue deprecation regardless (the \"refresh\" flow is no longer used", |
| "published": "2021-04-19T19:15:17.827", |
| "affected_versions": "< 1.3.1", |
| "cpe_vendors": [ |
| "grassroot:grassroot_platform" |
| ] |
| }, |
| { |
| "cve_id": "CVE-2021-29500", |
| "cvss_score": 7.5, |
| "severity": "HIGH", |
| "description": "bubble fireworks is an open source java package relating to Spring Framework. In bubble fireworks before version 2021.BUILD-SNAPSHOT there is a vulnerability in which the package did not properly verify the signature of JSON Web Tokens. This allows to forgery of valid JWTs.", |
| "published": "2021-06-04T20:15:07.763", |
| "affected_versions": "< 2021.build-snapshot", |
| "cpe_vendors": [ |
| "bubble_fireworks_project:bubble_fireworks" |
| ] |
| }, |
| { |
| "cve_id": "CVE-2021-29157", |
| "cvss_score": 7.5, |
| "severity": "HIGH", |
| "description": "Dovecot before 2.3.15 allows ../ Path Traversal. An attacker with access to the local filesystem can trick OAuth2 authentication into using an HS256 validation key from an attacker-controlled location. This occurs during use of local JWT validation with the posix fs driver.", |
| "published": "2021-06-28T12:15:08.647", |
| "affected_versions": "< 2.3.14.1, 33, 34", |
| "cpe_vendors": [ |
| "dovecot:dovecot", |
| "fedoraproject:fedora" |
| ] |
| }, |
| { |
| "cve_id": "CVE-2021-35342", |
| "cvss_score": 7.5, |
| "severity": "HIGH", |
| "description": "The useradm service 1.14.0 (in Northern.tech Mender Enterprise 2.7.x before 2.7.1) and 1.13.0 (in Northern.tech Mender Enterprise 2.6.x before 2.6.1) allows users to access the system with their JWT token after logout, because of missing invalidation (if the JWT verification cache is enabled).", |
| "published": "2021-08-27T10:15:07.793", |
| "affected_versions": "1.14.0, 1.13.0", |
| "cpe_vendors": [ |
| "northern.tech:useradm" |
| ] |
| }, |
| { |
| "cve_id": "CVE-2021-44877", |
| "cvss_score": 7.5, |
| "severity": "HIGH", |
| "description": "Dalmark Systems Systeam 2.22.8 build 1724 is vulnerable to Incorrect Access Control. The Systeam application is an ERP system that uses a mixed architecture based on SaaS tenant and user management, and on-premise database and web application counterparts. A broken access control vulnerability has been found while using a temporary generated token in order to consume api resources. The vulnerability allows an unauthenticated attacker to use an api endpoint to generate a temporary JWT token that ", |
| "published": "2021-12-21T17:15:08.590", |
| "affected_versions": "2.22.8", |
| "cpe_vendors": [ |
| "dalmark:systeam_enterprise_resource_planning" |
| ] |
| }, |
| { |
| "cve_id": "CVE-2021-24998", |
| "cvss_score": 7.5, |
| "severity": "HIGH", |
| "description": "The Simple JWT Login WordPress plugin before 3.3.0 can be used to create new WordPress user accounts with a randomly generated password. The password is generated using the str_shuffle PHP function that \"does not generate cryptographically secure values, and should not be used for cryptographic purposes\" according to PHP's documentation.", |
| "published": "2021-12-27T11:15:09.517", |
| "affected_versions": "< 3.3.0", |
| "cpe_vendors": [ |
| "simple_jwt_login_project:simple_jwt_login" |
| ] |
| }, |
| { |
| "cve_id": "CVE-2021-43824", |
| "cvss_score": 7.5, |
| "severity": "HIGH", |
| "description": "Envoy is an open source edge and service proxy, designed for cloud-native applications. In affected versions a crafted request crashes Envoy when a CONNECT request is sent to JWT filter configured with regex match. This provides a denial of service attack vector. The only workaround is to not use regex in the JWT filter. Users are advised to upgrade.", |
| "published": "2022-02-22T23:15:10.813", |
| "affected_versions": "< 1.18.6, < 1.19.3, < 1.20.2", |
| "cpe_vendors": [ |
| "envoyproxy:envoy" |
| ] |
| }, |
| { |
| "cve_id": "CVE-2022-22332", |
| "cvss_score": 7.5, |
| "severity": "HIGH", |
| "description": "IBM Sterling Partner Engagement Manager 6.2.0 could allow an attacker to impersonate another user due to missing revocation mechanism for the JWT token. IBM X-Force ID: 219131.", |
| "published": "2022-04-01T17:15:09.897", |
| "affected_versions": "6.2.0", |
| "cpe_vendors": [ |
| "ibm:partner_engagement_manager" |
| ] |
| }, |
| { |
| "cve_id": "CVE-2022-29266", |
| "cvss_score": 7.5, |
| "severity": "HIGH", |
| "description": "In APache APISIX before 3.13.1, the jwt-auth plugin has a security issue that leaks the user's secret key because the error message returned from the dependency lua-resty-jwt contains sensitive information.", |
| "published": "2022-04-20T08:15:07.740", |
| "affected_versions": "< 2.13.1", |
| "cpe_vendors": [ |
| "apache:apisix" |
| ] |
| }, |
| { |
| "cve_id": "CVE-2022-36065", |
| "cvss_score": 7.5, |
| "severity": "HIGH", |
| "description": "GrowthBook is an open-source platform for feature flagging and A/B testing. With some self-hosted configurations in versions prior to 2022-08-29, attackers can register new accounts and upload files to arbitrary directories within the container. If the attacker uploads a Python script to the right location, they can execute arbitrary code within the container. To be affected, ALL of the following must be true: Self-hosted deployment (GrowthBook Cloud is unaffected); using local file uploads (as ", |
| "published": "2022-09-06T21:15:08.760", |
| "affected_versions": "< 1.6.0", |
| "cpe_vendors": [ |
| "growthbook:growthbook" |
| ] |
| }, |
| { |
| "cve_id": "CVE-2018-15801", |
| "cvss_score": 7.4, |
| "severity": "HIGH", |
| "description": "Spring Security versions 5.1.x prior to 5.1.2 contain an authorization bypass vulnerability during JWT issuer validation. In order to be impacted, the same private key for an honest issuer and a malicious user must be used when signing JWTs. In that case, a malicious user could fashion signed JWTs with the malicious issuer URL that may be granted for the honest issuer.", |
| "published": "2018-12-19T22:29:00.593", |
| "affected_versions": "< 5.1.2", |
| "cpe_vendors": [ |
| "vmware:spring_framework" |
| ] |
| }, |
| { |
| "cve_id": "CVE-2020-15240", |
| "cvss_score": 7.4, |
| "severity": "HIGH", |
| "description": "omniauth-auth0 (rubygems) versions >= 2.3.0 and < 2.4.1 improperly validate the JWT token signature when using the `jwt_validator.verify` method. Improper validation of the JWT token signature can allow an attacker to bypass authentication and authorization. You are affected by this vulnerability if all of the following conditions apply: 1. You are using `omniauth-auth0`. 2. You are using `JWTValidator.verify` method directly OR you are not authenticating using the SDK’s default Authorization Co", |
| "published": "2020-10-21T18:15:12.813", |
| "affected_versions": "< 2.4.1", |
| "cpe_vendors": [ |
| "auth0:omniauth-auth0" |
| ] |
| }, |
| { |
| "cve_id": "CVE-2021-39177", |
| "cvss_score": 7.4, |
| "severity": "HIGH", |
| "description": "Geyser is a bridge between Minecraft: Bedrock Edition and Minecraft: Java Edition. Versions of Geyser prior to 1.4.2-SNAPSHOT allow anyone that can connect to the server to forge a LoginPacket with manipulated JWT token allowing impersonation as any user. Version 1.4.2-SNAPSHOT contains a patch for the issue. There are no known workarounds aside from upgrading.", |
| "published": "2021-08-30T23:15:07.070", |
| "affected_versions": "< 1.4.2", |
| "cpe_vendors": [ |
| "geysermc:geyser" |
| ] |
| }, |
| { |
| "cve_id": "CVE-2022-29217", |
| "cvss_score": 7.4, |
| "severity": "HIGH", |
| "description": "PyJWT is a Python implementation of RFC 7519. PyJWT supports multiple different JWT signing algorithms. With JWT, an attacker submitting the JWT token can choose the used signing algorithm. The PyJWT library requires that the application chooses what algorithms are supported. The application can specify `jwt.algorithms.get_default_algorithms()` to get support for all algorithms, or specify a single algorithm. The issue is not that big as `algorithms=jwt.algorithms.get_default_algorithms()` has t", |
| "published": "2022-05-24T15:15:07.767", |
| "affected_versions": "< 2.4.0, 35, 36", |
| "cpe_vendors": [ |
| "pyjwt_project:pyjwt", |
| "fedoraproject:fedora" |
| ] |
| }, |
| { |
| "cve_id": "CVE-2019-13483", |
| "cvss_score": 7.3, |
| "severity": "HIGH", |
| "description": "Auth0 Passport-SharePoint before 0.4.0 does not validate the JWT signature of an Access Token before processing. This allows attackers to forge tokens and bypass authentication and authorization mechanisms.", |
| "published": "2019-07-25T20:15:11.730", |
| "affected_versions": "< 0.4.0", |
| "cpe_vendors": [ |
| "auth0:passport-sharepoint" |
| ] |
| }, |
| { |
| "cve_id": "CVE-2020-8595", |
| "cvss_score": 7.3, |
| "severity": "HIGH", |
| "description": "Istio versions 1.2.10 (End of Life) and prior, 1.3 through 1.3.7, and 1.4 through 1.4.3 allows authentication bypass. The Authentication Policy exact-path matching logic can allow unauthorized access to HTTP paths even if they are configured to be only accessed after presenting a valid JWT token. For example, an attacker can add a ? or # character to a URI that would otherwise satisfy an exact-path match.", |
| "published": "2020-02-12T15:15:14.727", |
| "affected_versions": "<= 1.3.7, <= 1.4.3, 1.0", |
| "cpe_vendors": [ |
| "istio:istio", |
| "redhat:openshift_service_mesh" |
| ] |
| }, |
| { |
| "cve_id": "CVE-2021-41803", |
| "cvss_score": 7.1, |
| "severity": "HIGH", |
| "description": "HashiCorp Consul 1.8.1 up to 1.11.8, 1.12.4, and 1.13.1 do not properly validate the node or segment names prior to interpolation and usage in JWT claim assertions with the auto config RPC. Fixed in 1.11.9, 1.12.5, and 1.13.2.\"", |
| "published": "2022-09-23T01:15:08.623", |
| "affected_versions": "< 1.11.9, < 1.11.9, 1.12.4", |
| "cpe_vendors": [ |
| "hashicorp:consul" |
| ] |
| }, |
| { |
| "cve_id": "CVE-2020-1762", |
| "cvss_score": 7.0, |
| "severity": "HIGH", |
| "description": "An insufficient JWT validation vulnerability was found in Kiali versions 0.4.0 to 1.15.0 and was fixed in Kiali version 1.15.1, wherein a remote attacker could abuse this flaw by stealing a valid JWT cookie and using that to spoof a user session, possibly gaining privileges to view and alter the Istio configuration.", |
| "published": "2020-04-27T21:15:13.717", |
| "affected_versions": "< 1.15.1, 1.0", |
| "cpe_vendors": [ |
| "kiali:kiali", |
| "redhat:openshift_service_mesh" |
| ] |
| }, |
| { |
| "cve_id": "CVE-2016-10555", |
| "cvss_score": 6.5, |
| "severity": "MEDIUM", |
| "description": "Since \"algorithm\" isn't enforced in jwt.decode()in jwt-simple 0.3.0 and earlier, a malicious user could choose what algorithm is sent sent to the server. If the server is expecting RSA but is sent HMAC-SHA with RSA's public key, the server will think the public key is actually an HMAC private key. This could be used to forge any data an attacker wants.", |
| "published": "2018-05-31T20:29:02.067", |
| "affected_versions": "<= 0.3.0", |
| "cpe_vendors": [ |
| "jwt-simple_project:jwt-simple" |
| ] |
| }, |
| { |
| "cve_id": "CVE-2018-11537", |
| "cvss_score": 6.5, |
| "severity": "MEDIUM", |
| "description": "Auth0 angular-jwt before 0.1.10 treats whiteListedDomains entries as regular expressions, which allows remote attackers with knowledge of the jwtInterceptorProvider.whiteListedDomains setting to bypass the domain whitelist filter via a crafted domain.", |
| "published": "2018-06-19T19:29:00.377", |
| "affected_versions": "< 0.1.10", |
| "cpe_vendors": [ |
| "auth0:angular-jwt" |
| ] |
| }, |
| { |
| "cve_id": "CVE-2021-3167", |
| "cvss_score": 6.5, |
| "severity": "MEDIUM", |
| "description": "In Cloudera Data Engineering (CDE) 1.3.0, JWT authentication tokens are exposed to administrators in virtual cluster server logs.", |
| "published": "2021-03-15T16:15:13.810", |
| "affected_versions": "1.3.0", |
| "cpe_vendors": [ |
| "cloudera:data_engineering" |
| ] |
| }, |
| { |
| "cve_id": "CVE-2021-26074", |
| "cvss_score": 6.5, |
| "severity": "MEDIUM", |
| "description": "Broken Authentication in Atlassian Connect Spring Boot (ACSB) from version 1.1.0 before version 2.1.3: Atlassian Connect Spring Boot is a Java Spring Boot package for building Atlassian Connect apps. Authentication between Atlassian products and the Atlassian Connect Spring Boot app occurs with a server-to-server JWT or a context JWT. Atlassian Connect Spring Boot versions from version 1.1.0 before version 2.1.3 erroneously accept context JWTs in lifecycle endpoints (such as installation) where ", |
| "published": "2021-04-16T03:15:12.113", |
| "affected_versions": "< 2.1.3", |
| "cpe_vendors": [ |
| "atlassian:connect_spring_boot" |
| ] |
| }, |
| { |
| "cve_id": "CVE-2020-36124", |
| "cvss_score": 6.5, |
| "severity": "MEDIUM", |
| "description": "Pax Technology PAXSTORE v7.0.8_20200511171508 and lower is affected by XML External Entity (XXE) injection. An authenticated attacker can compromise the private keys of a JWT token and reuse them to manipulate the access tokens to access the platform as any desired user (clients and administrators).", |
| "published": "2021-05-07T11:15:08.040", |
| "affected_versions": "<= 7.0.8_20200511171508", |
| "cpe_vendors": [ |
| "paxtechnology:paxstore" |
| ] |
| }, |
| { |
| "cve_id": "CVE-2021-32631", |
| "cvss_score": 6.5, |
| "severity": "MEDIUM", |
| "description": "Common is a package of common modules that can be accessed by NIMBLE services. Common before commit number 3b96cb0293d3443b870351945f41d7d55cb34b53 did not properly verify the signature of JSON Web Tokens. This allows someone to forge a valid JWT. Being able to forge JWTs may lead to authentication bypasses. Commit number 3b96cb0293d3443b870351945f41d7d55cb34b53 contains a patch for the issue. As a workaround, one may use the parseClaimsJws method to correctly verify the signature of a JWT.", |
| "published": "2021-07-26T16:15:07.637", |
| "affected_versions": "", |
| "cpe_vendors": [ |
| "nimble-project:common" |
| ] |
| }, |
| { |
| "cve_id": "CVE-2021-23207", |
| "cvss_score": 6.5, |
| "severity": "MEDIUM", |
| "description": "An attacker with physical access to the host can extract the secrets from the registry and create valid JWT tokens for the Fresenius Kabi Vigilant MasterMed version 2.0.1.3 application and impersonate arbitrary users. An attacker could manipulate RabbitMQ queues and messages by impersonating users.", |
| "published": "2022-01-21T19:15:08.063", |
| "affected_versions": "<= d25, <= 3.3.0, 1.0", |
| "cpe_vendors": [ |
| "fresenius-kabi:agilia_connect", |
| "fresenius-kabi:agilia_partner_maintenance_software", |
| "fresenius-kabi:vigilant_centerium", |
| "fresenius-kabi:vigilant_insight", |
| "fresenius-kabi:vigilant_mastermed", |
| "fresenius-kabi:link\\+_agilia_firmware" |
| ] |
| }, |
| { |
| "cve_id": "CVE-2022-22311", |
| "cvss_score": 6.5, |
| "severity": "MEDIUM", |
| "description": "IBM Security Verify Access could allow a user, using man in the middle techniques, to obtain sensitive information or possibly change some information due to improper validiation of JWT tokens.", |
| "published": "2022-03-31T18:15:09.437", |
| "affected_versions": "10.0.0, 10.0.1, 10.0.2", |
| "cpe_vendors": [ |
| "ibm:security_verify_access" |
| ] |
| }, |
| { |
| "cve_id": "CVE-2020-10689", |
| "cvss_score": 6.4, |
| "severity": "MEDIUM", |
| "description": "A flaw was found in the Eclipse Che up to version 7.8.x, where it did not properly restrict access to workspace pods. An authenticated user can exploit this flaw to bypass JWT proxy and gain access to the workspace pods of another user. Successful exploitation requires knowledge of the service name and namespace of the target pod.", |
| "published": "2020-04-03T15:15:14.420", |
| "affected_versions": "< 7.9.0", |
| "cpe_vendors": [ |
| "eclipse:che" |
| ] |
| }, |
| { |
| "cve_id": "CVE-2021-41130", |
| "cvss_score": 6.4, |
| "severity": "MEDIUM", |
| "description": "Extensible Service Proxy, a.k.a. ESP is a proxy which enables API management capabilities for JSON/REST or gRPC API services. ESPv1 can be configured to authenticate a JWT token. Its verified JWT claim is passed to the application by HTTP header \"X-Endpoint-API-UserInfo\", the application can use it to do authorization. But if there are two \"X-Endpoint-API-UserInfo\" headers from the client, ESPv1 only replaces the first one, the 2nd one will be passed to the application. An attacker can send two ", |
| "published": "2021-10-07T19:15:08.843", |
| "affected_versions": "< 1.58.0", |
| "cpe_vendors": [ |
| "google:extensible_service_proxy" |
| ] |
| }, |
| { |
| "cve_id": "CVE-2021-3509", |
| "cvss_score": 6.1, |
| "severity": "MEDIUM", |
| "description": "A flaw was found in Red Hat Ceph Storage 4, in the Dashboard component. In response to CVE-2020-27839, the JWT token was moved from localStorage to an httpOnly cookie. However, token cookies are used in the body of the HTTP response for the documentation, which again makes it available to XSS.The greatest threat to the system is for confidentiality, integrity, and availability.", |
| "published": "2021-05-27T00:15:08.577", |
| "affected_versions": "4.0", |
| "cpe_vendors": [ |
| "redhat:ceph_storage" |
| ] |
| }, |
| { |
| "cve_id": "CVE-2017-8932", |
| "cvss_score": 5.9, |
| "severity": "MEDIUM", |
| "description": "A bug in the standard library ScalarMult implementation of curve P-256 for amd64 architectures in Go before 1.7.6 and 1.8.x before 1.8.2 causes incorrect results to be generated for specific input points. An adaptive attack can be mounted to progressively extract the scalar input to ScalarMult by submitting crafted points and observing failures to the derive correct output. This leads to a full key recovery attack against static ECDH, as used in popular JWT libraries.", |
| "published": "2017-07-06T16:29:00.420", |
| "affected_versions": "<= 1.7.5, 1.8, 1.8.1", |
| "cpe_vendors": [ |
| "golang:go", |
| "novell:suse_package_hub_for_suse_linux_enterprise", |
| "fedoraproject:fedora", |
| "opensuse:leap" |
| ] |
| }, |
| { |
| "cve_id": "CVE-2018-8023", |
| "cvss_score": 5.9, |
| "severity": "MEDIUM", |
| "description": "Apache Mesos can be configured to require authentication to call the Executor HTTP API using JSON Web Token (JWT). In Apache Mesos versions pre-1.4.2, 1.5.0, 1.5.1, 1.6.0 the comparison of the generated HMAC value against the provided signature in the JWT implementation used is vulnerable to a timing attack because instead of a constant-time string comparison routine a standard `==` operator has been used. A malicious actor can therefore abuse the timing difference of when the JWT validation fun", |
| "published": "2018-09-21T13:29:01.140", |
| "affected_versions": "< 1.4.2, 1.5.0, 1.5.1", |
| "cpe_vendors": [ |
| "apache:mesos" |
| ] |
| }, |
| { |
| "cve_id": "CVE-2021-26833", |
| "cvss_score": 5.9, |
| "severity": "MEDIUM", |
| "description": "Cleartext Storage in a File or on Disk in TimelyBills <= 1.7.0 for iOS and versions <= 1.21.115 for Android allows attacker who can locally read user's files obtain JWT tokens for user's account due to insufficient cache clearing mechanisms. A threat actor can obtain sensitive user data by decoding the tokens as JWT is signed and encoded, not encrypted.", |
| "published": "2021-04-06T16:15:16.457", |
| "affected_versions": "<= 1.7.0, <= 1.21.115", |
| "cpe_vendors": [ |
| "timelybills:timelybills" |
| ] |
| }, |
| { |
| "cve_id": "CVE-2021-33846", |
| "cvss_score": 5.9, |
| "severity": "MEDIUM", |
| "description": "Fresenius Kabi Vigilant Software Suite (Mastermed Dashboard) version 2.0.1.3 issues authentication tokens to authenticated users that are signed with a symmetric encryption key. An attacker in possession of the key can issue valid JWTs and impersonate arbitrary users.", |
| "published": "2022-01-21T19:15:09.007", |
| "affected_versions": "<= 3.3.0, 1.0, 1.0", |
| "cpe_vendors": [ |
| "fresenius-kabi:agilia_partner_maintenance_software", |
| "fresenius-kabi:vigilant_centerium", |
| "fresenius-kabi:vigilant_insight", |
| "fresenius-kabi:vigilant_mastermed", |
| "fresenius-kabi:agilia_connect_firmware", |
| "fresenius-kabi:link\\+_agilia_firmware" |
| ] |
| }, |
| { |
| "cve_id": "CVE-2020-5300", |
| "cvss_score": 5.8, |
| "severity": "MEDIUM", |
| "description": "In Hydra (an OAuth2 Server and OpenID Certified™ OpenID Connect Provider written in Go), before version 1.4.0+oryOS.17, when using client authentication method 'private_key_jwt' [1], OpenId specification says the following about assertion `jti`: \"A unique identifier for the token, which can be used to prevent reuse of the token. These tokens MUST only be used once, unless conditions for reuse were negotiated between the parties\". Hydra does not check the uniqueness of this `jti` value. Exploitin", |
| "published": "2020-04-06T17:15:13.367", |
| "affected_versions": "< 1.4.0", |
| "cpe_vendors": [ |
| "ory:hydra" |
| ] |
| }, |
| { |
| "cve_id": "CVE-2021-25993", |
| "cvss_score": 5.4, |
| "severity": "MEDIUM", |
| "description": "In Requarks wiki.js, versions 2.0.0-beta.147 to 2.5.255 are affected by Stored XSS vulnerability, where a low privileged (editor) user can upload a SVG file that contains malicious JavaScript while uploading assets in the page. That will send the JWT tokens to the attacker’s server and will lead to account takeover when accessed by the victim.", |
| "published": "2021-12-29T17:15:07.483", |
| "affected_versions": "<= 2.5.255, 2.0.0, 2.0.0", |
| "cpe_vendors": [ |
| "requarks:wiki.js" |
| ] |
| }, |
| { |
| "cve_id": "CVE-2017-10862", |
| "cvss_score": 5.3, |
| "severity": "MEDIUM", |
| "description": "jwt-scala 1.2.2 and earlier fails to verify token signatures correctly which may lead to an attacker being able to pass specially crafted JWT data as a correctly signed token.", |
| "published": "2017-10-12T14:29:00.263", |
| "affected_versions": "<= 1.2.2", |
| "cpe_vendors": [ |
| "really:jwt-scala" |
| ] |
| }, |
| { |
| "cve_id": "CVE-2017-8031", |
| "cvss_score": 5.3, |
| "severity": "MEDIUM", |
| "description": "An issue was discovered in Cloud Foundry Foundation cf-release (all versions prior to v279) and UAA (30.x versions prior to 30.6, 45.x versions prior to 45.4, 52.x versions prior to 52.1). In some cases, the UAA allows an authenticated user for a particular client to revoke client tokens for other users on the same client. This occurs only if the client is using opaque tokens or JWT tokens validated using the check_token endpoint. A malicious actor could cause denial of service.", |
| "published": "2017-11-27T10:29:00.767", |
| "affected_versions": "<= 278, < 30.6, < 45.4", |
| "cpe_vendors": [ |
| "cloudfoundry:cf-release", |
| "cloudfoundry:uaa-release" |
| ] |
| }, |
| { |
| "cve_id": "CVE-2020-4072", |
| "cvss_score": 5.3, |
| "severity": "MEDIUM", |
| "description": "In generator-jhipster-kotlin version 1.6.0 log entries are created for invalid password reset attempts. As the email is provided by a user and the api is public this can be used by an attacker to forge log entries. This is vulnerable to https://cwe.mitre.org/data/definitions/117.html This problem affects only application generated with jwt or session authentication. Applications using oauth are not vulnerable. This issue has been fixed in version 1.7.0.", |
| "published": "2020-06-25T20:15:11.350", |
| "affected_versions": "< 1.7.0", |
| "cpe_vendors": [ |
| "jhipster:generator-jhipster-kotlin" |
| ] |
| }, |
| { |
| "cve_id": "CVE-2020-28042", |
| "cvss_score": 5.3, |
| "severity": "MEDIUM", |
| "description": "ServiceStack before 5.9.2 mishandles JWT signature verification unless an application has a custom ValidateToken function that establishes a valid minimum length for a signature.", |
| "published": "2020-11-02T21:15:31.320", |
| "affected_versions": "< 5.9.2", |
| "cpe_vendors": [ |
| "servicestack:servicestack" |
| ] |
| }, |
| { |
| "cve_id": "CVE-2022-36083", |
| "cvss_score": 5.3, |
| "severity": "MEDIUM", |
| "description": "JOSE is \"JSON Web Almost Everything\" - JWA, JWS, JWE, JWT, JWK, JWKS with no dependencies using runtime's native crypto in Node.js, Browser, Cloudflare Workers, Electron, and Deno. The PBKDF2-based JWE key management algorithms expect a JOSE Header Parameter named `p2c` PBES2 Count, which determines how many PBKDF2 iterations must be executed in order to derive a CEK wrapping key. The purpose of this parameter is to intentionally slow down the key derivation function in order to make password br", |
| "published": "2022-09-07T22:15:08.657", |
| "affected_versions": "< 1.28.2, < 2.0.6, < 3.20.4", |
| "cpe_vendors": [ |
| "jose_project:jose" |
| ] |
| }, |
| { |
| "cve_id": "CVE-2021-27884", |
| "cvss_score": 5.1, |
| "severity": "MEDIUM", |
| "description": "Weak JSON Web Token (JWT) signing secret generation in YMFE YApi through 1.9.2 allows recreation of other users' JWT tokens. This occurs because Math.random in Node.js is used.", |
| "published": "2021-03-01T23:15:13.267", |
| "affected_versions": "<= 1.9.2", |
| "cpe_vendors": [ |
| "ymfe:yapi" |
| ] |
| }, |
| { |
| "cve_id": "CVE-2015-2951", |
| "cvss_score": 5.0, |
| "severity": "MEDIUM", |
| "description": "JWT.php in F21 JWT before 2.0 allows remote attackers to bypass signature verification via crafted tokens.", |
| "published": "2015-06-05T10:59:05.380", |
| "affected_versions": "<= 1.0", |
| "cpe_vendors": [ |
| "f21:jwt" |
| ] |
| }, |
| { |
| "cve_id": "CVE-2022-31130", |
| "cvss_score": 4.9, |
| "severity": "MEDIUM", |
| "description": "Grafana is an open source observability and data visualization platform. Versions of Grafana for endpoints prior to 9.1.8 and 8.5.14 could leak authentication tokens to some destination plugins under some conditions. The vulnerability impacts data source and plugin proxy endpoints with authentication tokens. The destination plugin could receive a user's Grafana authentication token. Versions 9.1.8 and 8.5.14 contain a patch for this issue. As a workaround, do not use API keys, JWT authentication", |
| "published": "2022-10-13T23:15:09.637", |
| "affected_versions": "< 8.5.14, < 9.1.8", |
| "cpe_vendors": [ |
| "grafana:grafana" |
| ] |
| }, |
| { |
| "cve_id": "CVE-2021-41106", |
| "cvss_score": 4.4, |
| "severity": "MEDIUM", |
| "description": "JWT is a library to work with JSON Web Token and JSON Web Signature. Prior to versions 3.4.6, 4.0.4, and 4.1.5, users of HMAC-based algorithms (HS256, HS384, and HS512) combined with `Lcobucci\\JWT\\Signer\\Key\\LocalFileReference` as key are having their tokens issued/validated using the file path as hashing key - instead of the contents. The HMAC hashing functions take any string as input and, since users can issue and validate tokens, users are lead to believe that everything works properly. Vers", |
| "published": "2021-09-28T21:15:07.370", |
| "affected_versions": "< 3.4.6, < 4.0.4, < 4.1.5", |
| "cpe_vendors": [ |
| "lcobucci:jwt" |
| ] |
| }, |
| { |
| "cve_id": "CVE-2020-26172", |
| "cvss_score": 4.2, |
| "severity": "MEDIUM", |
| "description": "Every login in tangro Business Workflow before 1.18.1 generates the same JWT token, which allows an attacker to reuse the token when a session is active. The JWT token does not contain an expiration timestamp.", |
| "published": "2020-12-18T10:15:12.710", |
| "affected_versions": "< 1.18.1", |
| "cpe_vendors": [ |
| "tangro:business_workflow" |
| ] |
| }, |
| { |
| "cve_id": "CVE-2019-3868", |
| "cvss_score": 3.8, |
| "severity": "LOW", |
| "description": "Keycloak up to version 6.0.0 allows the end user token (access or id token JWT) to be used as the session cookie for browser sessions for OIDC. As a result an attacker with access to service provider backend could hijack user’s browser session.", |
| "published": "2019-04-24T16:29:02.373", |
| "affected_versions": "<= 6.0.0", |
| "cpe_vendors": [ |
| "redhat:keycloak" |
| ] |
| } |
| ], |
| "search_mode": "keyword", |
| "_cached_at": 1778081355.1555667 |
| } |
