GHSA-32r3-57hp-cgfw

Опубликовано: 13 янв. 2024

Источник: github

Github: Прошло ревью

CVSS4: 9.1

CVSS3: 7.4

Описание

EverShop at risk to unauthorized access via weak HMAC secret

An issue was discovered in NPM's package @evershop/evershop before version 1.0.0-rc.9. The HMAC secret used for generating tokens is hardcoded as "secret". A weak HMAC secret poses a risk because attackers can use the predictable secret to create valid JSON Web Tokens (JWTs), allowing them access to important information and actions within the application.

Ссылки

Пакеты

Наименование

@evershop/evershop

npm

Затронутые версииВерсия исправления

< 1.0.0-rc.9

1.0.0-rc.9

EPSS

Процентиль: 25%

0.00086

Низкий

9.1 Critical

CVSS4

7.4 High

CVSS3

CVE ID

CVE-2023-46943

Дефекты

CWE-284

CWE-798

Связанные уязвимости

CVE-2023-46943

CVSS3: 9.1

nvd

около 2 лет назад

An issue was discovered in NPM's package @evershop/evershop before version 1.0.0-rc.8. The HMAC secret used for generating tokens is hardcoded as "secret". A weak HMAC secret poses a risk because attackers can use the predictable secret to create valid JSON Web Tokens (JWTs), allowing them access to important information and actions within the application.

EPSS

Процентиль: 25%

0.00086

Низкий

9.1 Critical

CVSS4

7.4 High

CVSS3

CVE ID

CVE-2023-46943

Дефекты

CWE-284

CWE-798