Описание
The package jsrsasign before 10.5.25 are vulnerable to Improper Verification of Cryptographic Signature when JWS or JWT signature with non Base64URL encoding special characters or number escaped characters may be validated as valid by mistake. Workaround: Validate JWS or JWT signature if it has Base64URL and dot safe string before executing JWS.verify() or JWS.verifyJWT() method.
Ссылки
- PatchThird Party Advisory
- Release NotesThird Party Advisory
- ExploitPatchThird Party Advisory
- ExploitPatchThird Party Advisory
- ExploitPatchThird Party Advisory
- ExploitPatchThird Party Advisory
- PatchThird Party Advisory
- Release NotesThird Party Advisory
- ExploitPatchThird Party Advisory
- ExploitPatchThird Party Advisory
- ExploitPatchThird Party Advisory
- ExploitPatchThird Party Advisory
Уязвимые конфигурации
Конфигурация 1Версия от 4.8.0 (включая) до 10.5.25 (исключая)
cpe:2.3:a:jsrsasign_project:jsrsasign:*:*:*:*:*:node.js:*:*
EPSS
Процентиль: 82%
0.01775
Низкий
7.7 High
CVSS3
9.8 Critical
CVSS3
7.5 High
CVSS2
Дефекты
CWE-347
Связанные уязвимости
CVSS3: 8.6
github
больше 3 лет назад
JWS and JWT signature validation vulnerability with special characters
EPSS
Процентиль: 82%
0.01775
Низкий
7.7 High
CVSS3
9.8 Critical
CVSS3
7.5 High
CVSS2
Дефекты
CWE-347