CVE-2021-27884

Опубликовано: 01 мар. 2021

Источник: nvd

CVSS3: 5.1

CVSS2: 3.6

EPSS Низкий

Описание

Weak JSON Web Token (JWT) signing secret generation in YMFE YApi through 1.9.2 allows recreation of other users' JWT tokens. This occurs because Math.random in Node.js is used.

Ссылки

https://github.com/YMFE/yapi/issues/2117
Third Party Advisory
https://securitylab.github.com/advisories/GHSL-2020-228-YMFE-yapi
Third Party Advisory
https://github.com/YMFE/yapi/issues/2117
Third Party Advisory
https://securitylab.github.com/advisories/GHSL-2020-228-YMFE-yapi
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:ymfe:yapi:*:*:*:*:*:*:*:*

Версия до 1.9.2 (включая)

EPSS

Процентиль: 18%

0.00056

Низкий

5.1 Medium

CVSS3

3.6 Low

CVSS2

Дефекты

CWE-330

Связанные уязвимости

GHSA-2h3h-vw8r-82rp