Lucene search

K
veracodeVeracode Vulnerability DatabaseVERACODE:47480
HistoryJun 12, 2024 - 5:44 a.m.

Authentication Bypass

2024-06-1205:44:58
Veracode Vulnerability Database
sca.analysiscenter.veracode.com
11
authentication bypass
jwt vulnerability
hmac verification
asymmetric public key
bypassing authentication

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

AI Score

7.3

Confidence

Low

EPSS

0.001

Percentile

22.0%

authlib is vulnerable to Authentication Bypass The vulnerability is due to allowing HMAC verification with any asymmetric public key in jwt.decode calls without specifying an algorithm, which attackers can exploit to bypass authentication checks.

Affected configurations

Vulners
Node
veracodeauthlibRange1.3.01.3.0
OR
veracodeauthlibRange1.3.01.3.0
VendorProductVersionCPE
veracodeauthlib*cpe:2.3:a:veracode:authlib:*:*:*:*:*:*:*:*

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

AI Score

7.3

Confidence

Low

EPSS

0.001

Percentile

22.0%