Lucene search
GoogleOSV:GHSA-8XF4-W7QW-PJJWHistoryMar 30, 2022 - 12:00 a.m.
Firebase PHP-JWT key/algorithm type confusion
2022-03-3000:00:27
Google
osv.dev
17
firebase
php-jwt
algorithm-confusion
kid header
key ring
attacker
tokens
vulnerability
EPSS
0.001
Percentile
46.0%
In Firebase PHP-JWT before 6.0.0, an algorithm-confusion issue (e.g., RS256 / HS256) exists via the kid (aka Key ID) header, when multiple types of keys are loaded in a key ring. This allows an attacker to forge tokens that validate under the incorrect key. NOTE: this provides a straightforward way to use the PHP-JWT library unsafely, but might not be considered a vulnerability in the library itself.
Related
friendsofphp
friendsofphp
Key/algorithm type confusion
2022-03-30 00:00:00
osv
osv
CVE-2021-46743
2022-03-29 07:15:07
cve
cve
CVE-2021-46743
2022-03-29 07:15:07
veracode
veracode
Validation Bypass
2022-03-30 06:13:21
nvd
nvd
CVE-2021-46743
2022-03-29 07:15:07
cvelist
cvelist
CVE-2021-46743
2022-03-29 06:40:18
prion
prion
Design/Logic Flaw
2022-03-29 07:15:00
github
github
Firebase PHP-JWT key/algorithm type confusion
2022-03-30 00:00:27