CVE-2018-1000539 – json-jwt

Package

Manager: gem
Name: json-jwt
Vulnerable Version: >=0.5.1 <1.9.4

Severity

Level: Medium

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.0014 pctl0.34693

Details

Json-jwt did not verify the cryptographic signature for data The json-jwt rubygem version >= 0.5.0 && < 1.9.4 contains a CWE-347: Improper Verification of Cryptographic Signature vulnerability in Decryption of AES-GCM encrypted JSON Web Tokens that can result in Attacker can forge a authentication tag. This attack appear to be exploitable via network connectivity. This vulnerability appears to have been fixed in 1.9.4 and later.

Metadata

Created: 2018-07-31T18:13:51Z
Modified: 2023-08-25T23:55:12Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/07/GHSA-mj4x-wcxf-hm8x/GHSA-mj4x-wcxf-hm8x.json
CWE IDs: ["CWE-347"]
Alternative ID: GHSA-mj4x-wcxf-hm8x
Finding: F163
Auto approve: 1