logo

Database

Business information leak - JWT

Description

Business information is obtained within the JWT, such as: - Username - Password

Impact

- Get the username from the JWT. - Get the encrypted password from the JWT.

Recommendation

Remove the sensitive information from the JWT and manage this kind of information in the server-side.

Threat

Anonymous attacker from the Internet.

Expected Remediation Time

⏱️ 30 minutes.

Requirements

176 - Restrict system objects177 - Avoid caching and temporary files261 - Avoid exposing sensitive information300 - Mask sensitive data

Fixes

CsharpDartElixirGoJavaPythonScalaTypescript

Score

Default score using CVSS 4.0. It may change depending on the context of the src.

Base 4.0

Attack vector

N

Attack complexity

H

Attack requirements

N

Privileges required

N

User interaction

N

Confidentiality (VC)

L

Integrity (VI)

N

Availability (VA)

N

Confidentiality (SC)

N

Integrity (SI)

N

Availability (SA)

N

Threat 4.0

Exploit maturity

X

Vector string

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N