Improper Cryptographic Signature Verification in Nov json-jwt Component
CVE-2018-1000539

5.3MEDIUM

Key Information:

Vendor

Json-jwt Project

Status
Json-jwt
Vendor
CVE Published:
26 June 2018

What is CVE-2018-1000539?

The Nov json-jwt library, specifically versions before 1.9.4, contains a vulnerability that allows for improper verification of cryptographic signatures in AES-GCM encrypted JSON Web Tokens. This flaw can potentially enable attackers to forge authentication tags, leading to unauthorized access or manipulation of data transmitted over a network. The vulnerability can be exploited due to insufficient cryptographic safeguards, and it highlights the importance of using updated software versions to mitigate such risks.

References

https://github.com/nov/json-jwt/pull/62
x_refsource_MISC
https://www.debian.org/security/2018/dsa-4283
vendor-advisoryx_refsource_DEBIAN

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.