CVE-2018-1000539

Опубликовано: 26 июн. 2018

Источник: nvd

CVSS3: 5.3

CVSS2: 5

EPSS Низкий

Описание

Nov json-jwt version >= 0.5.0 && < 1.9.4 contains a CWE-347: Improper Verification of Cryptographic Signature vulnerability in Decryption of AES-GCM encrypted JSON Web Tokens that can result in Attacker can forge a authentication tag. This attack appear to be exploitable via network connectivity. This vulnerability appears to have been fixed in 1.9.4 and later.

Ссылки

https://github.com/nov/json-jwt/pull/62
Third Party Advisory
https://www.debian.org/security/2018/dsa-4283
https://github.com/nov/json-jwt/pull/62
Third Party Advisory
https://www.debian.org/security/2018/dsa-4283

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:json-jwt_project:json-jwt:*:*:*:*:*:*:*:*

Версия от 0.5.0 (включая) до 1.9.4 (исключая)

EPSS

Процентиль: 34%

0.0014

Низкий

5.3 Medium

CVSS3

5 Medium

CVSS2

Дефекты

CWE-347

Связанные уязвимости

CVE-2018-1000539

CVSS3: 5.3

ubuntu

больше 7 лет назад

CVE-2018-1000539

CVSS3: 5.3

debian

больше 7 лет назад

Nov json-jwt version >= 0.5.0 && < 1.9.4 contains a CWE-347: Improper ...

GHSA-mj4x-wcxf-hm8x

CVSS3: 5.3

github

больше 7 лет назад

Json-jwt did not verify the cryptographic signature for data

EPSS

Процентиль: 34%

0.0014

Низкий

5.3 Medium

CVSS3

5 Medium

CVSS2

Дефекты

CWE-347