Lucene search

GoogleOSV:GHSA-32R3-57HP-CGFW

HistoryJan 13, 2024 - 3:30 a.m.

EverShop at risk to unauthorized access via weak HMAC secret

2024-01-1303:30:17

Google

osv.dev

evershop

vulnerability

@evershop/evershop

1.0.0-rc.9

hmac secret

json web tokens

unauthorized access

npm

package

weakness

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

6.6 Medium

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

39.3%

JSON

An issue was discovered in NPM’s package @evershop/evershop before version 1.0.0-rc.9. The HMAC secret used for generating tokens is hardcoded as “secret”. A weak HMAC secret poses a risk because attackers can use the predictable secret to create valid JSON Web Tokens (JWTs), allowing them access to important information and actions within the application.

CPENameOperatorVersion
@evershop/evershoplt1.0.0-rc.9

CPE	Name	Operator	Version
	@evershop/evershop	lt	1.0.0-rc.9

References

devhub.checkmarx.com/cve-details/CVE-2023-46943

github.com/evershopcommerce/evershop

github.com/evershopcommerce/evershop/commit/96d9ca3e024e0b63c538911e4a914df3d287cc9f

nvd.nist.gov/vuln/detail/CVE-2023-46943

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

6.6 Medium

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

39.3%

JSON

Related for OSV:GHSA-32R3-57HP-CGFW