CVE-2020-15084

Опубликовано: 30 июн. 2020

Источник: nvd

CVSS3: 7.7

CVSS3: 9.1

CVSS2: 4.3

EPSS Низкий

Описание

In express-jwt (NPM package) up and including version 5.3.3, the algorithms entry to be specified in the configuration is not being enforced. When algorithms is not specified in the configuration, with the combination of jwks-rsa, it may lead to authorization bypass. You are affected by this vulnerability if all of the following conditions apply: - You are using express-jwt - You do not have algorithms configured in your express-jwt configuration. - You are using libraries such as jwks-rsa as the secret. You can fix this by specifying algorithms in the express-jwt configuration. See linked GHSA for example. This is also fixed in version 6.0.0.

Ссылки

https://github.com/auth0/express-jwt/commit/7ecab5f8f0cab5297c2b863596566eb0c019cdef
Patch
Third Party Advisory
https://github.com/auth0/express-jwt/security/advisories/GHSA-6g6m-m6h5-w9gf
Third Party Advisory
https://github.com/auth0/express-jwt/commit/7ecab5f8f0cab5297c2b863596566eb0c019cdef
Patch
Third Party Advisory
https://github.com/auth0/express-jwt/security/advisories/GHSA-6g6m-m6h5-w9gf
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:auth0:express-jwt:*:*:*:*:*:node.js:*:*

Версия до 5.3.3 (включая)

EPSS

Процентиль: 45%

0.00222

Низкий

7.7 High

CVSS3

9.1 Critical

CVSS3

4.3 Medium

CVSS2

Дефекты

CWE-285

CWE-863

Связанные уязвимости

GHSA-6g6m-m6h5-w9gf

CVSS3: 7.7

github

больше 5 лет назад

Authorization bypass in express-jwt

EPSS

Процентиль: 45%

0.00222

Низкий

7.7 High

CVSS3

9.1 Critical

CVSS3

4.3 Medium

CVSS2

Дефекты

CWE-285

CWE-863