CVE-2018-1000539

Published: Jun 26, 2018Modified: Nov 21, 2024

5.3

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Exploitability: 3.9 / Impact: 1.4

Source: NVD

Description

Nov json-jwt version >= 0.5.0 && < 1.9.4 contains a CWE-347: Improper Verification of Cryptographic Signature vulnerability in Decryption of AES-GCM encrypted JSON Web Tokens that can result in Attacker can forge a authentication tag. This attack appear to be exploitable via network connectivity. This vulnerability appears to have been fixed in 1.9.4 and later.

Affected (1)

Products: Json Jwt Project: Json Jwt

Json Jwt Project

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Json Jwt Project Json Jwt	From 0.5.0 to 1.9.4

Related CWEs

Improper Verification of Cryptographic Signature

The product does not verify, or incorrectly verifies, the cryptographic signature for data.

References (4)

https://github.com/nov/json-jwt/pull/62

Source: cve@mitre.org

Third Party Advisory

https://www.debian.org/security/2018/dsa-4283

Source: cve@mitre.org

https://github.com/nov/json-jwt/pull/62

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://www.debian.org/security/2018/dsa-4283

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.