namshi/jose insecure JSON Web Signatures (JWS)

2024-05-1722:31:42

GitHub Advisory Database

github.com

namshi/jose

json web signatures

acceptance vulnerability

security risk

jwt token

software

AI Score

Confidence

High

JSON

namshi/jose allows the acceptance of unsecure JSON Web Signatures (JWS) by default. The vulnerability arises from the $allowUnsecure flag, which, when set to true during the loading of JWSes, permits tokens signed with ‘none’ algorithms to be processed. This behavior poses a significant security risk as it could allow an attacker to impersonate users by crafting a valid jwt token.

Affected configurations

Vulners

Node

namshinamshi\/joseRange2.1.0–2.1.2

namshinamshi\/joseRange2.0.0–2.0.3

namshinamshi\/joseRange1.2.0–1.2.2

namshinamshi\/joseRange<1.1.2

VendorProductVersionCPE
namshinamshi\/jose*cpe:2.3:a:namshi:namshi\/jose:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
namshi	namshi\/jose	*	cpe:2.3:a:namshi:namshi\/jose::::::::

References

github.com/advisories/GHSA-hxhc-wmg8-xrqf

github.com/FriendsOfPHP/security-advisories/blob/master/namshi/jose/2015-02-19.yaml

github.com/namshi/jose/commit/009f86d6ced000b806b2f602c0b7393060ebb34e

AI Score

Confidence

High

JSON