Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXY1cnYtaHB4Zy04eDQ5
Signature validation bypass in ServiceStack
ServiceStack before 5.9.2 mishandles JWT signature verification unless an application has a custom ValidateToken function that establishes a valid minimum length for a signature.
Permalink: https://github.com/advisories/GHSA-v5rv-hpxg-8x49JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXY1cnYtaHB4Zy04eDQ5
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 3 years ago
Updated: about 1 year ago
Identifiers: GHSA-v5rv-hpxg-8x49, CVE-2020-28042
References:
- https://nvd.nist.gov/vuln/detail/CVE-2020-28042
- https://github.com/ServiceStack/ServiceStack/commit/540d4060e877a03ae95343c1a8560a26768585ee
- https://forums.servicestack.net/t/servicestack-v5-9-2-released/8850
- https://snyk.io/vuln/SNYK-DOTNET-SERVICESTACK-1035519
- https://www.nuget.org/packages/ServiceStack/
- https://www.shielder.it/advisories/servicestack-jwt-signature-verification-bypass/
- https://www.shielder.it/blog/2020/11/re-discovering-a-jwt-authentication-bypass-in-servicestack/
- https://github.com/advisories/GHSA-v5rv-hpxg-8x49
Blast Radius: 1.0
Affected Packages
nuget:ServiceStack
Dependent packages: 0Dependent repositories: 0
Downloads: 12,087,590 total
Affected Version Ranges: < 5.9.2
Fixed in: 5.9.2
All affected versions: 2.2.2, 2.9.0, 2.92.0, 2.93.0, 2.95.0, 2.96.0, 3.0.0, 3.0.5, 3.0.6, 3.0.7, 3.0.9, 3.1.0, 3.1.1, 3.1.3, 3.1.6, 3.1.7, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.2.5, 3.2.6, 3.2.7, 3.2.8, 3.2.9, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.3.6, 3.3.7, 3.3.8, 3.3.9, 3.4.0, 3.4.1, 3.4.2, 3.4.3, 3.4.8, 3.5.1, 3.5.2, 3.5.3, 3.5.4, 3.5.5, 3.5.7, 3.5.8, 3.5.9, 3.6.0, 3.6.2, 3.6.3, 3.6.5, 3.6.6, 3.6.7, 3.6.9, 3.7.0, 3.7.1, 3.7.2, 3.7.3, 3.7.4, 3.7.7, 3.7.8, 3.7.9, 3.8.3, 3.8.5, 3.8.7, 3.8.8, 3.9.0, 3.9.1, 3.9.2, 3.9.3, 3.9.4, 3.9.5, 3.9.6, 3.9.7, 3.9.8, 3.9.9, 3.9.10, 3.9.11, 3.9.14, 3.9.15, 3.9.16, 3.9.17, 3.9.18, 3.9.19, 3.9.21, 3.9.22, 3.9.23, 3.9.24, 3.9.25, 3.9.28, 3.9.32, 3.9.33, 3.9.34, 3.9.35, 3.9.37, 3.9.38, 3.9.40, 3.9.42, 3.9.43, 3.9.44, 3.9.45, 3.9.46, 3.9.47, 3.9.48, 3.9.49, 3.9.53, 3.9.54, 3.9.55, 3.9.56, 3.9.58, 3.9.59, 3.9.60, 3.9.61, 3.9.62, 3.9.63, 3.9.64, 3.9.65, 3.9.66, 3.9.67, 3.9.68, 3.9.69, 3.9.70, 3.9.71, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.0.6, 4.0.7, 4.0.8, 4.0.9, 4.0.10, 4.0.11, 4.0.12, 4.0.13, 4.0.14, 4.0.15, 4.0.16, 4.0.17, 4.0.18, 4.0.19, 4.0.20, 4.0.21, 4.0.22, 4.0.23, 4.0.24, 4.0.30, 4.0.31, 4.0.32, 4.0.33, 4.0.34, 4.0.35, 4.0.36, 4.0.38, 4.0.40, 4.0.42, 4.0.44, 4.0.46, 4.0.48, 4.0.50, 4.0.52, 4.0.54, 4.0.56, 4.0.58, 4.0.60, 4.0.62, 4.5.0, 4.5.2, 4.5.4, 4.5.6, 4.5.8, 4.5.10, 4.5.12, 4.5.14, 5.0.0, 5.0.2, 5.1.0, 5.2.0, 5.4.0, 5.5.0, 5.6.0, 5.7.0, 5.8.0, 5.9.0
All unaffected versions: 5.9.2, 5.9.3, 5.10.0, 5.10.2, 5.10.4, 5.11.0, 5.12.0, 5.13.0, 5.13.2, 5.14.0, 6.0.0, 6.0.2, 6.1.0, 6.2.0, 6.3.0, 6.4.0, 6.5.0, 6.6.0, 6.7.0, 6.8.0, 6.9.0, 6.9.1, 6.10.0, 6.11.0, 8.0.0, 8.1.0, 8.1.2, 8.2.0, 8.2.2