CVE-2022-23539
- EPSS 0.06%
- Veröffentlicht 23.12.2022 00:15:12
- Zuletzt bearbeitet 21.11.2024 06:48:46
Versions `<=8.5.1` of `jsonwebtoken` library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm. You are affected if you are using an algorithm a...
CVE-2022-23540
- EPSS 0.02%
- Veröffentlicht 22.12.2022 19:15:08
- Zuletzt bearbeitet 13.02.2025 17:15:38
In versions `<=8.5.1` of `jsonwebtoken` library, lack of algorithm definition in the `jwt.verify()` function can lead to signature validation bypass due to defaulting to the `none` algorithm for signature verification. Users are affected if you do no...
CVE-2022-23541
- EPSS 0.05%
- Veröffentlicht 22.12.2022 18:15:09
- Zuletzt bearbeitet 21.11.2024 06:48:46
jsonwebtoken is an implementation of JSON Web Tokens. Versions `<= 8.5.1` of `jsonwebtoken` library can be misconfigured so that passing a poorly implemented key retrieval function referring to the `secretOrPublicKey` argument from the readme link wi...
CVE-2015-9235
- EPSS 32.47%
- Veröffentlicht 29.05.2018 20:29:00
- Zuletzt bearbeitet 21.11.2024 02:40:07
In jsonwebtoken node module before 4.2.2 it is possible for an attacker to bypass verification when a token digitally signed with an asymmetric key (RS/ES family) of algorithms but instead the attacker send a token digitally signed with a symmetric a...