213 – Business information leak - JWT

Description

Business information is obtained within the JWT, such as: - Username - Password

Impact

- Get the username from the JWT. - Get the encrypted password from the JWT.

Recommendation

Remove the sensitive information from the JWT and manage this kind of information in the server-side.

Threat

Anonymous attacker from the Internet.

Expected Remediation Time

30 minutes.

Score 4.0

Default score using CVSS 4.0. It may change depending on the context of the src.

Base 4.0

• Attack vector: N
• Attack complexity: H
• Attack Requirements: N
• Privileges required: N
• User interaction: N
• Confidentiality (VC): L
• Integrity (VI): N
• Availability (VA): N
• Confidentiality (SC): N
• Integrity (SI): N
• Availability (SA): N

Threat 4.0

• Exploit maturity: X

Requirements

• 176 - Restrict system objects
• 177 - Avoid caching and temporary files
• 261 - Avoid exposing sensitive information
• 300 - Mask sensitive data

Fixes

• Csharp
• Dart
• Elixir
• Go
• Java
• Python
• Scala
• Typescript

Last updated

2024/02/16