CVE-2023-23928

Published: Feb 1, 2023Modified: Nov 21, 2024

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

reason-jose is a JOSE implementation in ReasonML and OCaml.`Jose.Jws.validate` does not check HS256 signatures. This allows tampering of JWS header and payload data if the service does not perform additional checks. Such tampering could expose applications using reason-jose to authorization bypass. Applications relying on JWS claims assertion to enforce security boundaries may be vulnerable to privilege escalation. This issue has been patched in version 0.8.2.

Affected (1)

Products: Reason Jose Project: Reason Jose

Reason Jose Project

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Reason Jose Project Reason Jose	Before 0.8.2

Related CWEs

Improper Verification of Cryptographic Signature

The product does not verify, or incorrectly verifies, the cryptographic signature for data.

References (6)

https://github.com/ulrikstrid/reason-jose/commit/36cd724db3cbec121757624da49072386bd869e5

Source: security-advisories@github.com

PatchThird Party Advisory

https://github.com/ulrikstrid/reason-jose/releases/tag/v0.8.2

Source: security-advisories@github.com

Release NotesThird Party Advisory

https://github.com/ulrikstrid/reason-jose/security/advisories/GHSA-7jj9-6qwv-wpm7

Source: security-advisories@github.com

Third Party Advisory

https://github.com/ulrikstrid/reason-jose/commit/36cd724db3cbec121757624da49072386bd869e5

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://github.com/ulrikstrid/reason-jose/releases/tag/v0.8.2

Source: af854a3a-2127-422b-91ae-364da2661108

Release NotesThird Party Advisory

https://github.com/ulrikstrid/reason-jose/security/advisories/GHSA-7jj9-6qwv-wpm7

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.