CVE-2020-15957

Published: Jul 30, 2020Modified: Nov 21, 2024

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

An issue was discovered in DP3T-Backend-SDK before 1.1.1 for Decentralised Privacy-Preserving Proximity Tracing (DP3T). When it is configured to check JWT before uploading/publishing keys, it is possible to skip the signature check by providing a JWT token with alg=none.

Affected (1)

Products: Dp3t Backend Software Development Kit Project: Dp3t Backend Software Development Kit

Dp3t Backend Software Development Kit Project

1 product

Dp3t Backend Software Development Kit

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Dp3t Backend Software Development Kit Project Dp3t Backend Software Development Kit	Before 1.1.1

Related CWEs

Improper Verification of Cryptographic Signature

The product does not verify, or incorrectly verifies, the cryptographic signature for data.

References (6)

https://github.com/DP-3T/dp3t-sdk-backend/compare/v1.0.4...v1.1.0

Source: cve@mitre.org

Release NotesThird Party Advisory

https://github.com/DP-3T/dp3t-sdk-backend/security/advisories/GHSA-5m5q-3qw2-3xf3

Source: cve@mitre.org

PatchThird Party Advisory

https://github.com/dp-3T/dp3t-sdk-backend

Source: cve@mitre.org

Third Party Advisory

https://github.com/DP-3T/dp3t-sdk-backend/compare/v1.0.4...v1.1.0

Source: af854a3a-2127-422b-91ae-364da2661108

Release NotesThird Party Advisory

https://github.com/DP-3T/dp3t-sdk-backend/security/advisories/GHSA-5m5q-3qw2-3xf3

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://github.com/dp-3T/dp3t-sdk-backend

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.