CVE-2016-10555

🗓️ 31 May 2018 20:00:00Reported by hackeroneType

cve🔗 web.nvd.nist.gov📰️ 2 Media mentions👁 48 Views🌐 WEB

"algorithm" not enforced in jwt.decode() allowing malicious user to choose algorithm, leading to potential data forging

Reporter	Title	Published	Views	Family All 10
Circl	CVE-2016-10555	2 Aug 202310:00	–	circl
Cvelist	CVE-2016-10555	31 May 201820:00	–	cvelist
GithubExploit	jwt-attack-suite	14 Apr 202606:44	–	githubexploit
GithubExploit	Exploit for CVE-2016-10555	4 Mar 202613:34	–	githubexploit
Github Security Blog	Forgeable Public/Private Tokens in jwt-simple	6 Nov 201823:12	–	github
Node.js	Forgeable Public/Private Tokens	21 Mar 201617:05	–	nodejs
NVD	CVE-2016-10555	31 May 201820:29	–	nvd
OSV	GHSA-VGRX-W6RG-8FQF Forgeable Public/Private Tokens in jwt-simple	6 Nov 201823:12	–	osv
Prion	Code injection	31 May 201820:29	–	prion
vulnersOsv	@sysdoc/sysdoc-web-stack (=1.0.0), ac-koa-hipchat (>=0.1.0 <=0.2.20) +182 more potentially affected by CVE-2016-10555 via jwt-simple (>=0.1.0 <=0.3.0)	6 Nov 201823:12	–	vulnersosv

NVD

Vulners

Node

jwt-simple_project jwt-simpleRange≤0.3.0node.js

[
  {
    "product": "jwt-simple node module",
    "vendor": "HackerOne",
    "versions": [
      {
        "status": "affected",
        "version": "<=0.3.0"
      }
    ]
  }
]

Source	Link
github	www.github.com/hokaccha/node-jwt-simple/pull/16
nodesecurity	www.nodesecurity.io/advisories/87
auth0	www.auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/
github	www.github.com/hokaccha/node-jwt-simple/pull/14

Parameter	Position	Path	Description	CWE
jku	header	/.well-known/jwks.json	JKU spoofing using attacker-controlled JWKS URL to influence key verification	CWE-20CWE-310

21 Nov 2024 02:44Current

6.2Medium risk

Vulners AI Score6.2

CVSS 24

CVSS 36.5

EPSS0.81652