Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS05Z3h2LXg3cnAtcjJoY84AA8Ib
gree/jose - "None" Algorithm treated as valid in tokens
Several widely-used JSON Web Token (JWT) libraries, including node-jsonwebtoken, pyjwt, namshi/jose, php-jwt, and jsjwt, are affected by critical vulnerabilities that could allow attackers to bypass the verification step when using asymmetric keys (RS256, RS384, RS512, ES256, ES384, ES512).
Permalink: https://github.com/advisories/GHSA-9gxv-x7rp-r2hcJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS05Z3h2LXg3cnAtcjJoY84AA8Ib
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: 7 months ago
Updated: 7 months ago
Identifiers: GHSA-9gxv-x7rp-r2hc
References:
- https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries
- https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries
- https://github.com/FriendsOfPHP/security-advisories/blob/master/gree/jose/2016-08-30.yaml
- https://github.com/advisories/GHSA-9gxv-x7rp-r2hc
Affected Packages
packagist:gree/jose
Dependent packages: 10Dependent repositories: 45
Downloads: 2,050,212 total
Affected Version Ranges: <= 2.2.0
No known fixed version
All affected versions: 0.1.0, 0.1.1, 0.1.3, 0.1.4, 0.1.5, 1.0.0, 1.0.1, 2.0.0, 2.0.1, 2.1.0, 2.2.0