Описание
Weak JSON Web Token in yapi-vendor
Weak JSON Web Token (JWT) signing secret generation in YMFE YApi through 1.9.2 allows recreation of other users' JWT tokens. This occurs because Math.random in Node.js is used as a source of randomness in jwt signing. Math.random does not provide cryptographically secure random numbers. This has been patched in version 1.9.3.
Пакеты
Наименование
yapi-vendor
npm
Затронутые версииВерсия исправления
<= 1.9.2
1.9.3
Связанные уязвимости
CVSS3: 5.1
nvd
почти 5 лет назад
Weak JSON Web Token (JWT) signing secret generation in YMFE YApi through 1.9.2 allows recreation of other users' JWT tokens. This occurs because Math.random in Node.js is used.