Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS00cnI2LWdmNTktZ2d3Nc4AA8Rn
namshi/jose - Verification bypass
Several widely-used JSON Web Token (JWT) libraries, including node-jsonwebtoken, pyjwt, namshi/jose, php-jwt, and jsjwt, are affected by critical vulnerabilities that could allow attackers to bypass the verification step when using asymmetric keys (RS256, RS384, RS512, ES256, ES384, ES512).
Permalink: https://github.com/advisories/GHSA-4rr6-gf59-ggw5JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS00cnI2LWdmNTktZ2d3Nc4AA8Rn
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: 6 months ago
Updated: 6 months ago
Identifiers: GHSA-4rr6-gf59-ggw5
References:
- https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries
- https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries
- https://github.com/FriendsOfPHP/security-advisories/blob/master/namshi/jose/2015-03-10.yaml
- https://github.com/advisories/GHSA-4rr6-gf59-ggw5
Affected Packages
packagist:namshi/jose
Dependent packages: 118Dependent repositories: 24,943
Downloads: 81,245,008 total
Affected Version Ranges: < 2.2.0
Fixed in: 2.2.0
All affected versions: 1.0.0, 1.0.1, 1.0.2, 1.1.0, 1.1.1, 1.1.2, 1.2.0, 1.2.1, 1.2.2, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4
All unaffected versions: 2.2.0, 2.2.1, 2.2.2, 3.0.0, 3.0.1, 4.0.0, 4.0.1, 5.0.0, 5.0.1, 5.0.2, 6.0.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.1.0, 6.1.1, 7.0.0, 7.1.0, 7.2.0, 7.2.1, 7.2.2, 7.2.3