Описание
In jsonwebtoken node module before 4.2.2 it is possible for an attacker to bypass verification when a token digitally signed with an asymmetric key (RS/ES family) of algorithms but instead the attacker send a token digitally signed with a symmetric algorithm (HS* family).
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Mobile Application Platform 4 | nodejs-jsonwebtoken | Not affected |
Показывать по
10
Дополнительная информация
Статус:
Important
Дефект:
CWE-287
https://bugzilla.redhat.com/show_bug.cgi?id=1584880nodejs-jsonwebtoken: verification step bypass with an altered token
7.3 High
CVSS3
Связанные уязвимости
CVSS3: 9.8
nvd
больше 7 лет назад
In jsonwebtoken node module before 4.2.2 it is possible for an attacker to bypass verification when a token digitally signed with an asymmetric key (RS/ES family) of algorithms but instead the attacker send a token digitally signed with a symmetric algorithm (HS* family).
7.3 High
CVSS3