CVE-2018-0114 – node-jose

Package

Manager: npm
Name: node-jose
Vulnerable Version: >=0 <0.11.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.84691 pctl0.99291

Details

Cisco node-jose improper validation of JWT signature A vulnerability in the Cisco node-jose open source library before 0.11.0 could allow an unauthenticated, remote attacker to re-sign tokens using a key that is embedded within the token. The vulnerability is due to node-jose following the JSON Web Signature (JWS) standard for JSON Web Tokens (JWTs). This standard specifies that a JSON Web Key (JWK) representing a public key can be embedded within the header of a JWS. This public key is then trusted for verification. An attacker could exploit this by forging valid JWS objects by removing the original signature, adding a new public key to the header, and then signing the object using the (attacker-owned) private key associated with the public key embedded in that JWS header.

Metadata

Created: 2022-05-13T01:17:32Z
Modified: 2023-10-06T00:56:10Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-jfxm-w8g2-4rcv/GHSA-jfxm-w8g2-4rcv.json
CWE IDs: ["CWE-347"]
Alternative ID: GHSA-jfxm-w8g2-4rcv
Finding: F204
Auto approve: 1