GHSA-mg8r-9g6j-hwv9

Опубликовано: 18 фев. 2019

Источник: github

Github: Прошло ревью

CVSS3: 9.8

Описание

Authentication Bypass in hapi-auth-jwt2

Versions of hapi-auth-jwt2 prior to version 5.1.2 are affected by a complete authentication bypass vulnerability when in the try authentication mode.

Recommendation

Update to version 5.1.2 or later.

Ссылки

https://nvd.nist.gov/vuln/detail/CVE-2016-10525
https://github.com/dwyl/hapi-auth-jwt2/issues/111
https://github.com/dwyl/hapi-auth-jwt2/pull/112
https://github.com/advisories/GHSA-mg8r-9g6j-hwv9
https://www.npmjs.com/advisories/81

Пакеты

Наименование

hapi-auth-jwt2

npm

Затронутые версииВерсия исправления

= 5.1.1

5.1.2

EPSS

Процентиль: 63%

0.00448

Низкий

9.8 Critical

CVSS3

CVE ID

CVE-2016-10525

Дефекты

CWE-287

Связанные уязвимости

CVE-2016-10525

CVSS3: 9.8

nvd

больше 7 лет назад

When attempting to allow authentication mode `try` in hapi, hapi-auth-jwt2 version 5.1.1 introduced an issue whereby people could bypass authentication.

EPSS

Процентиль: 63%

0.00448

Низкий

9.8 Critical

CVSS3

CVE ID

CVE-2016-10525

Дефекты

CWE-287