Insecurely generated token - Validation
Description
The system does not properly validate the token used for user creation. For this reason, it is possible to modify the header defining the algorithm with which the token is encrypted, so that it is not signed.
Impact
Create users within the application with tokens that are not signed.
Recommendation
Avoid validating the token by taking the algorithm found in the token header, since an attacker could modify it, so that the token signature is not properly validated.
Threat
Anonymous attacker from the Internet.
Expected Remediation Time
⏱️ 60 minutes.
Requirements
228 - Authenticate using standard protocolsScore
Default score using CVSS 4.0. It may change depending on the context of the src.
Base 4.0
Attack vector
N
Attack complexity
L
Attack requirements
N
Privileges required
N
User interaction
N
Confidentiality (VC)
N
Integrity (VI)
L
Availability (VA)
N
Confidentiality (SC)
N
Integrity (SI)
N
Availability (SA)
N
Threat 4.0
Exploit maturity
X
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N