Skip to content

namshi/jose insecure JSON Web Signatures (JWS)

High severity GitHub Reviewed Published May 17, 2024 to the GitHub Advisory Database

Package

composer namshi/jose (Composer)

Affected versions

< 1.1.2
>= 1.2.0, < 1.2.2
>= 2.0.0, < 2.0.3
>= 2.1.0, < 2.1.2

Patched versions

1.1.2
1.2.2
2.0.3
2.1.2

Description

namshi/jose allows the acceptance of unsecure JSON Web Signatures (JWS) by default. The vulnerability arises from the $allowUnsecure flag, which, when set to true during the loading of JWSes, permits tokens signed with 'none' algorithms to be processed. This behavior poses a significant security risk as it could allow an attacker to impersonate users by crafting a valid jwt token.

References

Published to the GitHub Advisory Database May 17, 2024
Reviewed May 17, 2024

Severity

High

Weaknesses

No CWEs

CVE ID

No known CVE

GHSA ID

GHSA-hxhc-wmg8-xrqf

Source code

Checking history
See something to contribute? Suggest improvements for this vulnerability.