namshi/jose insecure JSON Web Signatures (JWS)

2024-05-1722:31:42

Google

osv.dev

namshi/jose

json web signatures

vulnerability

$allowunsecure flag

'none' algorithm

security risk

7 High

AI Score

Confidence

High

JSON

namshi/jose allows the acceptance of unsecure JSON Web Signatures (JWS) by default. The vulnerability arises from the $allowUnsecure flag, which, when set to true during the loading of JWSes, permits tokens signed with ‘none’ algorithms to be processed. This behavior poses a significant security risk as it could allow an attacker to impersonate users by crafting a valid jwt token.

CPENameOperatorVersion
namshi/joseeq2.0.0
namshi/joseeq1.0.0-beta1
namshi/joseeq1.2.1
namshi/joseeq1.0.0
namshi/joseeq1.0.0-rc1
namshi/joseeq2.0.1
namshi/joseeq2.1.0
namshi/joseeq2.1.1
namshi/joseeq1.0.1
namshi/joseeq1.2.0

Name	Operator	Version
namshi/jose	eq	2.0.0
namshi/jose	eq	1.0.0-beta1
namshi/jose	eq	1.2.1
namshi/jose	eq	1.0.0
namshi/jose	eq	1.0.0-rc1
namshi/jose	eq	2.0.1
namshi/jose	eq	2.1.0
namshi/jose	eq	2.1.1
namshi/jose	eq	1.0.1
namshi/jose	eq	1.2.0

Rows per page:

1-10 of 141

References

github.com/FriendsOfPHP/security-advisories/blob/master/namshi/jose/2015-02-19.yaml

github.com/namshi/jose

github.com/namshi/jose/commit/009f86d6ced000b806b2f602c0b7393060ebb34e

7 High

AI Score

Confidence

High

JSON