Signature Validation Bypass Affecting json-jwt package, versions <1.9.4


0.0
medium

Snyk CVSS

    Attack Complexity Low

    Threat Intelligence

    EPSS 0.09% (38th percentile)
Expand this section
NVD
5.3 medium

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-RUBY-JSONJWT-22038
  • published 28 Jun 2018
  • disclosed 2 May 2018
  • credit Unknown

How to fix?

Upgrade json-jwt to version 1.9.4 or higher.

Overview

json-jwt is a JSON Web Token and its family (JSON Web Signature, JSON Web Encryption and JSON Web Key) in Ruby.

Affected versions of this package are vulnerable to Signature Validation Bypass. Due to Improper Verification of Cryptographic Signature, an attacker could forge an forge an authentication tag.