Lucene search
Veracode Vulnerability DatabaseVERACODE:38572HistoryDec 23, 2022 - 6:16 a.m.
Incorrect Verification Of Tokens
2022-12-2306:16:20
Veracode Vulnerability Database
sca.analysiscenter.veracode.com
22
incorrect verification
token validation
key retrieval
symmetric keys
asymmetric keys
remote attack
0.001 Low
EPSS
Percentile
37.0%
jsonwebtoken is vulnerable to incorrect verification of tokens. A remote attacker is able to validate forged tokens via passing a poorly implemented key retrieval function referring to the secretOrPublicKey argument when the application is supporting both symmetric and asymmetric keys with the same key retrieval function.
| CPE | Name | Operator | Version |
|---|---|---|---|
| jsonwebtoken | le | 7.1.0 | |
| jsonwebtoken | le | 8.5.1 | |
| jsonwebtoken | le | 8.5.1 | |
| jsonwebtoken | le | 7.1.0 | |
| jsonwebtoken | le | 8.5.1 | |
| jsonwebtoken | le | 8.5.1 |
References
Related
prion
prion
Design/Logic Flaw
2022-12-22 18:15:00
cvelist
cvelist
vulnrichment
vulnrichment
nvd
nvd
CVE-2022-23541
2022-12-22 18:15:09
osv
osv
jsonwebtoken's insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC
2022-12-22 03:33:19
CVE-2022-23541
2022-12-22 18:15:09
redhatcve
redhatcve
CVE-2022-23541
2023-02-23 18:59:15
github
github
cve
cve
CVE-2022-23541
2022-12-22 18:15:09
ibm
ibm
redhat
redhat