CVE-2018-1000125

EPSS 0.41%
Veröffentlicht 13.03.2018 21:29:00
Zuletzt bearbeitet 21.11.2024 03:39:44
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

inversoft prime-jwt version prior to version 1.3.0 or prior to commit 0d94dcef0133d699f21d217e922564adbb83a227 contains an input validation vulnerability in JWTDecoder.decode that can result in a JWT that is decoded and thus implicitly validated even if it lacks a valid signature. This attack appear to be exploitable via an attacker crafting a token with a valid header and body and then requests it to be validated. This vulnerability appears to have been fixed in 1.3.0 and later or after commit 0d94dcef0133d699f21d217e922564adbb83a227.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Inversoft ≫ Prime-jwt Version < 1.3.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.41%	0.607

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	7.5	10	6.4	AV:N/AC:L/Au:N/C:P/I:P/A:P

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

https://github.com/inversoft/prime-jwt/blob/master/CHANGES

Third Party Advisory

Release Notes

https://github.com/inversoft/prime-jwt/issues/2

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2018-1000125

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2018-1000125

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2018-1000125

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2018-1000125