Code injection

2020-07-3014:15:00

PRIOn knowledge base

www.prio-n.com

7.5 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

41.7%

JSON

An issue was discovered in DP3T-Backend-SDK before 1.1.1 for Decentralised Privacy-Preserving Proximity Tracing (DP3T). When it is configured to check JWT before uploading/publishing keys, it is possible to skip the signature check by providing a JWT token with alg=none.

CPENameOperatorVersion
dp3t-backend-software_development_kitlt1.1.1

CPE	Name	Operator	Version
	dp3t-backend-software_development_kit	lt	1.1.1

References

github.com/dp-3T/dp3t-sdk-backend

github.com/DP-3T/dp3t-sdk-backend/compare/v1.0.4...v1.1.0

github.com/DP-3T/dp3t-sdk-backend/security/advisories/GHSA-5m5q-3qw2-3xf3