CVE-2015-9235

Exploit

EPSS 8.32%
Veröffentlicht 29.05.2018 20:29:00
Zuletzt bearbeitet 21.11.2024 02:40:07
Quelle support@hackerone.com
CVE-Watchlists
Login
Unerledigt
Login

In jsonwebtoken node module before 4.2.2 it is possible for an attacker to bypass verification when a token digitally signed with an asymmetric key (RS/ES family) of algorithms but instead the attacker send a token digitally signed with a symmetric algorithm (HS* family).

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 7

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Auth0 ≫ Jsonwebtoken SwPlatformnode.js Version < 4.2.2

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	8.32%	0.942

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	7.5	10	6.4	AV:N/AC:L/Au:N/C:P/I:P/A:P

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

CWE-327 Use of a Broken or Risky Cryptographic Algorithm

The product uses a broken or risky cryptographic algorithm or protocol.

https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/

Vendor Advisory

Broken Link

https://github.com/auth0/node-jsonwebtoken/commit/1bb584bc382295eeb7ee8c4452a673a77a68b687

Patch

Third Party Advisory

https://nodesecurity.io/advisories/17

Third Party Advisory

https://www.timmclean.net/2015/02/25/jwt-alg-none.html

Third Party Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2015-9235

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2015-9235

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2015-9235

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2015-9235