You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
Impact: Exposure of Sensitive Information, Manipulation of Data, Denial of Service (DoS)
For jsonwebtoken library, if a malicious actor has the ability to modify the key retrieval parameter (referring to the secretOrPublicKey argument from the readme link) of the jwt.verify() function, they can gain remote code execution. [CVE-2022-23529]
jsonwebtoken library could be misconfigured so that legacy, insecure key types are used for signature verification. [CVE-2022-23539]
For jsonwebtoken library, lack of algorithm definition in the jwt.verify() function can lead to signature validation bypass due to defaulting to the none algorithm for signature verification. [CVE-2022-23540]
jsonwebtoken library can be misconfigured so that passing a poorly implemented key retrieval function (referring to the secretOrPublicKey argument from the readme link) will result in incorrect verification of tokens. There is a possibility of using a different algorithm and key combination in verification than the one that was used to sign the tokens. Specifically, tokens signed with an asymmetric public key could be verified with a symmetric HS256 algorithm. This can lead to successful validation of forged tokens. [CVE-2022-23541]
To Reproduce
Steps to reproduce the behavior:
NA
Expected behavior
NA
Screenshots
NA
Desktop (please complete the following information):
OS: [e.g. iOS]
Browser [e.g. chrome, safari]
Version [e.g. 22]
Smartphone (please complete the following information):
Device: [e.g. iPhone6]
OS: [e.g. iOS8.1]
Browser [e.g. stock browser, safari]
Version [e.g. 22]
** MindSphere Plan **
start for free
iot value plan
developer plan
operator plan
Additional context
Add any other context about the problem here.
The text was updated successfully, but these errors were encountered:
Describe the bug
Impact: Exposure of Sensitive Information, Manipulation of Data, Denial of Service (DoS)
For jsonwebtoken library, if a malicious actor has the ability to modify the key retrieval parameter (referring to the secretOrPublicKey argument from the readme link) of the jwt.verify() function, they can gain remote code execution. [CVE-2022-23529]
jsonwebtoken library could be misconfigured so that legacy, insecure key types are used for signature verification. [CVE-2022-23539]
For jsonwebtoken library, lack of algorithm definition in the jwt.verify() function can lead to signature validation bypass due to defaulting to the none algorithm for signature verification. [CVE-2022-23540]
jsonwebtoken library can be misconfigured so that passing a poorly implemented key retrieval function (referring to the secretOrPublicKey argument from the readme link) will result in incorrect verification of tokens. There is a possibility of using a different algorithm and key combination in verification than the one that was used to sign the tokens. Specifically, tokens signed with an asymmetric public key could be verified with a symmetric HS256 algorithm. This can lead to successful validation of forged tokens. [CVE-2022-23541]
To Reproduce
Steps to reproduce the behavior:
NA
Expected behavior
NA
Screenshots
NA
Desktop (please complete the following information):
Smartphone (please complete the following information):
** MindSphere Plan **
Additional context
Add any other context about the problem here.
The text was updated successfully, but these errors were encountered: