Количество 2
Количество 2
CVE-2016-10555
Since "algorithm" isn't enforced in jwt.decode()in jwt-simple 0.3.0 and earlier, a malicious user could choose what algorithm is sent sent to the server. If the server is expecting RSA but is sent HMAC-SHA with RSA's public key, the server will think the public key is actually an HMAC private key. This could be used to forge any data an attacker wants.
GHSA-vgrx-w6rg-8fqf
Forgeable Public/Private Tokens in jwt-simple
Уязвимостей на страницу
Уязвимость | CVSS | EPSS | Опубликовано | |
|---|---|---|---|---|
 | CVE-2016-10555 Since "algorithm" isn't enforced in jwt.decode()in jwt-simple 0.3.0 and earlier, a malicious user could choose what algorithm is sent sent to the server. If the server is expecting RSA but is sent HMAC-SHA with RSA's public key, the server will think the public key is actually an HMAC private key. This could be used to forge any data an attacker wants. | CVSS3: 6.5 | 82% Высокий | больше 7 лет назад |
| GHSA-vgrx-w6rg-8fqf Forgeable Public/Private Tokens in jwt-simple | 82% Высокий | больше 7 лет назад |
Уязвимостей на страницу