|
[Japanese]
|
JVNDB-2017-007582
|
jwt-scala fails to verify token signatures
|
|
jwt-scala contains a vulnerability where it fails to verify token signatures correctly.
jwt-scala is a Scala library to handle JSON Web Token (JWT). jwt-scala contains a vulnerability where it fails to verify token signatures correctly due to improper processing of JWT headers.
Toshiharu Sugiyama of Recruit Technologies Co.,Ltd. RED TEAM reported this vulnerability to the developer and JPCERT/CC and directly coordinated with the developer. JPCERT/CC published this advisory as the developer agreed with the publication on JVN.
|
|
CVSS V3 Severity:
Base Metrics 5.3 (Medium) [IPA Score]
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
CVSS V2 Severity:
Base Metrics 5.0 (Medium) [IPA Score]
- Access Vector: Network
- Access Complexity: Low
- Authentication: None
- Confidentiality Impact: None
- Integrity Impact: Partial
- Availability Impact: None
|
|
|
jwt-scala project
- jwt-scala 1.2.2 and earlier
|
|
|
Specially crafted tokens may be verified successfully, whereas the verification should be failed.
|
|
[Use the Latest Source Code]
The source code patch is applied on the github repository on September 11, 2017.
applied
https://github.com/reallylabs/jwt-scala/commit/093a9891471608623c715abd08ab0c237489b05a
[Apply a Workaround]
Check that alg field value in the JWT header is appropriate.
|
|
jwt-scala project
|
|
- Improper Authentication(CWE-287) [IPA Evaluation]
|
|
- CVE-2017-10862
|
|
- JVN : JVNVU#90916766
- National Vulnerability Database (NVD) : CVE-2017-10862
|
|
- [2017/09/26]
Web page was published
- [2018/03/07]
References : Content was added
|
