gree/jose - "None" Algorithm treated as valid in tokens

2024-05-1521:47:39

GitHub Advisory Database

github.com

jwt

libraries

vulnerabilities

verification

asymmetric keys

7.3 High

AI Score

Confidence

Low

JSON

Several widely-used JSON Web Token (JWT) libraries, including node-jsonwebtoken, pyjwt, namshi/jose, php-jwt, and jsjwt, are affected by critical vulnerabilities that could allow attackers to bypass the verification step when using asymmetric keys (RS256, RS384, RS512, ES256, ES384, ES512).

Affected configurations

Vulners

Node

greegree\+Range≤2.2.0android

CPENameOperatorVersion
gree/josele2.2.0

CPE	Name	Operator	Version
	gree/jose	le	2.2.0

References

auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries

auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries

github.com/advisories/GHSA-9gxv-x7rp-r2hc

github.com/FriendsOfPHP/security-advisories/blob/master/gree/jose/2016-08-30.yaml

7.3 High

AI Score

Confidence

Low

JSON