9.8

CVE-2023-23928

EPSS 0.17%
Veröffentlicht 01.02.2023 01:15:09
Zuletzt bearbeitet 21.11.2024 07:47:07
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

reason-jose is a JOSE implementation in ReasonML and OCaml.`Jose.Jws.validate` does not check HS256 signatures. This allows tampering of JWS header and payload data if the service does not perform additional checks. Such tampering could expose applications using reason-jose to authorization bypass. Applications relying on JWS claims assertion to enforce security boundaries may be vulnerable to privilege escalation. This issue has been patched in version 0.8.2.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Reason-jose Project ≫ Reason-jose Version < 0.8.2

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.17%	0.376

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
security-advisories@github.com	5.9	1.6	4.2	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N

CWE-347 Improper Verification of Cryptographic Signature

The product does not verify, or incorrectly verifies, the cryptographic signature for data.

https://github.com/ulrikstrid/reason-jose/commit/36cd724db3cbec121757624da49072386bd869e5

Patch

Third Party Advisory

https://github.com/ulrikstrid/reason-jose/releases/tag/v0.8.2

Third Party Advisory

Release Notes

https://github.com/ulrikstrid/reason-jose/security/advisories/GHSA-7jj9-6qwv-wpm7

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2023-23928

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-23928

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-23928

EUVD