Description

The system does not properly validate the token used for user creation. For this reason, it is possible to modify the header defining the algorithm with which the token is encrypted, so that it is not signed.

Impact

Create users within the application with tokens that are not signed.

Recommendation

Avoid validating the token by taking the algorithm found in the token header, since an attacker could modify it, so that the token signature is not properly validated.

Threat

Anonymous attacker from the Internet.

Expected Remediation Time

⏱️ 60 minutes.

Requirements

Fixes