GitHub_MVULNRICHMENT:CVE-2022-23540CVE-2022-23540 jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify()
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
HIGH
Availability Impact
LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L
AI Score
Confidence
High
SSVC
Exploitation
none
Automatable
no
Technical Impact
partial
In versions <=8.5.1 of jsonwebtoken library, lack of algorithm definition in the jwt.verify() function can lead to signature validation bypass due to defaulting to the none algorithm for signature verification. Users are affected if you do not specify algorithms in the jwt.verify() function. This issue has been fixed, please update to version 9.0.0 which removes the default support for the none algorithm in the jwt.verify() method. There will be no impact, if you update to version 9.0.0 and you donβt need to allow for the none algorithm. If you need βnoneβ algorithm, you have to explicitly specify that in jwt.verify() options.
CNA Affected
[
{
"vendor": "auth0",
"product": "node-jsonwebtoken",
"versions": [
{
"status": "affected",
"version": "<= 8.5.1"
}
]
}
]Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
HIGH
Availability Impact
LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L
AI Score
Confidence
High
SSVC
Exploitation
none
Automatable
no
Technical Impact
partial