JWT Signature Validation Flaw in Inversoft's Prime-JWT
CVE-2018-1000531

7.5HIGH

Key Information:

Vendor: Inversoft
Status: Prime-jwt
Vendor: CVE Published:; 26 June 2018

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2018-1000531?

Inversoft's Prime-JWT prior to a specific commit is vulnerable to an improper input validation issue, specifically in the JWTDecoder.decode function. This flaw allows attackers to craft a malicious JWT token using the 'none' algorithm in the header, potentially leading to incorrect signature validation. If exploited, this vulnerability permits unauthorized access or manipulation of sensitive information. It is critical for users of this library to update to a version that includes the fix implemented in commit abb0d479389a2509f939452a6767dc424bb5e6ba.

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

JWT-Bruteforcer
Created by realbatuhan

References

https://github.com/inversoft/prime-jwt/issues/3

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Nov 16, 2024
👾
Exploit known to exist
Nov 16, 2024
Vulnerability published
Jun 26, 2018
Vulnerability Reserved
May 2, 2018