Описание
A flaw was found in the jsonwebtoken package. In affected versions of the jsonwebtoken library, if a malicious actor can modify the key retrieval parameter (referring to the secretOrPublicKey argument from the readme link) of the jwt.verify() function, they can perform remote code execution (RCE).
Отчет
Red Hat Product Security does not consider this to be a vulnerability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat OpenShift Container Platform 4 | openshift4/ose-console | Not affected | ||
| Red Hat Openshift Container Storage 4 | ocs4/mcg-core-rhel8 | Not affected | ||
| Red Hat Openshift Data Foundation 4 | noobaa-core-container | Not affected | ||
| Red Hat Openshift Data Foundation 4 | odf4/mcg-core-rhel9 | Not affected |
Показывать по
10
Дополнительная информация
Дефект:
CWE-20
https://bugzilla.redhat.com/show_bug.cgi?id=2159911jsonwebtoken: Insecure input validation in jwt.verify function
0 Low
CVSS3
Связанные уязвимости
nvd
больше 2 лет назад
Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The issue is not a vulnerability. Notes: none.
CVSS3: 7.6
github
больше 2 лет назад
jsonwebtoken has insecure input validation in jwt.verify function
0 Low
CVSS3