Fluid Attacks Database

Description

namshi/jose insecure JSON Web Signatures (JWS) namshi/jose allows the acceptance of unsecure JSON Web Signatures (JWS) by default. The vulnerability arises from the $allowUnsecure flag, which, when set to true during the loading of JWSes, permits tokens signed with 'none' algorithms to be processed. This behavior poses a significant security risk as it could allow an attacker to impersonate users by crafting a valid jwt token.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
packagist	namshi/jose	>=0 <1.1.2 \|\| >=1.2.0 <1.2.2 \|\| >=2.0.0 <2.0.3 \|\| >=2.1.0 <2.1.2	1.1.2, 1.2.2, 2.0.3, 2.1.2

Aliases

1. GCVE-GHSA-hxhc-wmg8-xrqf

References

1. https://github.com/namshi/jose/commit/009f86d6ced000b806b2f602c0b7393060ebb34e2. https://github.com/FriendsOfPHP/security-advisories/blob/master/namshi/jose/2015-02-19.yaml

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.