4 matches found
CVE-2016-10555
creationtimestamp| type| source ---|---|--- 2023-08-02 10:00:03+00:00| seen| https://t.me/ptsoft/21 2023-08-02 10:00:03+00:00| seen| https://t.me/ptsoft/12 2025-01-28 13:54:03+00:00| published-proof-of-concept| https://t.me/GithubRedTeam/11760 2025-02-05 19:34:25+00:00| published-proof-of-concept...
@sysdoc/sysdoc-web-stack (=1.0.0), ac-koa-hipchat (>=0.1.0 <=0.2.20) +182 more potentially affected by CVE-2016-10555 via jwt-simple (>=0.1.0 <=0.3.0)
jwt-simple NPM version =0.1.0, =0.1.0, =0.1.0, =1.1.0, =0.0.1, =0.1.0, =1.0.0, =0.0.7, =0.2.12, =0.5.3, =0.1.0, =0.0.2, =1.1.1, =1.3.1 and more Source cves: CVE-2016-10555 Source advisory: OSV:GHSA-VGRX-W6RG-8FQF...
CVE-2016-10555
The CVE-2016-10555 issue affects the jwt-simple library (Node.js). It arises because jwt.decode() does not strictly enforce the algorithm, allowing a malicious user to choose the JWT verification algorithm. If a server expects RSA but receives an HMAC-SHA with RSA’s public key, the public key cou...
CVE-2016-10555
Since "algorithm" isn't enforced in jwt.decodein jwt-simple 0.3.0 and earlier, a malicious user could choose what algorithm is sent sent to the server. If the server is expecting RSA but is sent HMAC-SHA with RSA's public key, the server will think the public key is actually an HMAC private key...