servicestack is vulnerable to signature validation bypass. The token validation function does not check a valid minimum length and null for a JWT signature, allowing an attacker to bypass the signature verification.
CPE | Name | Operator | Version |
---|---|---|---|
servicestack.common | eq | 4.5.14 | |
servicestack.common | le | 5.9.0 |
forums.servicestack.net/t/servicestack-v5-9-2-released/8850
github.com/ServiceStack/ServiceStack/commit/540d4060e877a03ae95343c1a8560a26768585ee
www.shielder.it/advisories/servicestack-jwt-signature-verification-bypass/
www.shielder.it/blog/2020/11/re-discovering-a-jwt-authentication-bypass-in-servicestack/