CVE-2020-28042

Опубликовано: 02 нояб. 2020

Источник: nvd

CVSS3: 5.3

CVSS2: 5

EPSS Средний

Описание

ServiceStack before 5.9.2 mishandles JWT signature verification unless an application has a custom ValidateToken function that establishes a valid minimum length for a signature.

Ссылки

https://forums.servicestack.net/t/servicestack-v5-9-2-released/8850
Release Notes
Vendor Advisory
https://github.com/ServiceStack/ServiceStack/commit/540d4060e877a03ae95343c1a8560a26768585ee
Patch
Third Party Advisory
https://www.shielder.it/advisories/servicestack-jwt-signature-verification-bypass/
Exploit
Third Party Advisory
https://www.shielder.it/blog/2020/11/re-discovering-a-jwt-authentication-bypass-in-servicestack/
Exploit
Third Party Advisory
https://forums.servicestack.net/t/servicestack-v5-9-2-released/8850
Release Notes
Vendor Advisory
https://github.com/ServiceStack/ServiceStack/commit/540d4060e877a03ae95343c1a8560a26768585ee
Patch
Third Party Advisory
https://www.shielder.it/advisories/servicestack-jwt-signature-verification-bypass/
Exploit
Third Party Advisory
https://www.shielder.it/blog/2020/11/re-discovering-a-jwt-authentication-bypass-in-servicestack/
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:servicestack:servicestack:*:*:*:*:*:*:*:*

Версия до 5.9.2 (исключая)

EPSS

Процентиль: 97%

0.35995

Средний

5.3 Medium

CVSS3

5 Medium

CVSS2

Дефекты

CWE-347

Связанные уязвимости

GHSA-v5rv-hpxg-8x49

github

около 5 лет назад

Signature validation bypass in ServiceStack

BDU:2025-03227