Incorrect Access Control in JWT Security Token for perl-CRYPT-JWT by DCIT
CVE-2019-1010161

9.8CRITICAL

Key Information:

Vendor
Perl-crypt-jwt
Status
Perl-crypt-jwt
Vendor
CVE Published:
25 July 2019

Summary

The perl-CRYPT-JWT library incorporates a vulnerability in the JWT.pm component, specifically at line 614 in the _decode_jws() function, which enables unauthorized users to bypass authentication mechanisms. This flaw arises due to incorrect access control in versions 0.022 and earlier, allowing attackers to exploit network connectivity and manipulate user-controlled input for authentication evasion. Users are urged to upgrade to version 0.023 to mitigate this risk.

Affected Version(s)

perl-CRYPT-JWT 0.022 and earlier [fixed: 0.023]

References

https://github.com/DCIT/perl-Crypt-JWT/issues/3#issuecomm...
x_refsource_MISC

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2019-1010161 : Incorrect Access Control in JWT Security Token for perl-CRYPT-JWT by DCIT | SecurityVulnerability.io