Incorrect Access Control in Perl Crypt::JWT Affecting DCIT Software
CVE-2019-1010263

9.8CRITICAL

Key Information:

Vendor: Perl Crypt::jwt
Status: Perl Crypt::jwt
Vendor: CVE Published:; 17 July 2019

Summary

The Perl Crypt::JWT library prior to version 0.023 is susceptible to an Incorrect Access Control vulnerability. This flaw allows attackers to craft an HMAC token that can bypass authentication mechanisms within the library. The vulnerability is present in the JWT.pm file at line 614 and can be exploited through network connectivity, enabling unauthorized access to resources. Users are advised to upgrade to the fixed version post the commit dated b98a59b42ded9f9e51b2560410106207c2152d6c to mitigate this risk.

Affected Version(s)

Perl Crypt::JWT prior to 0.023 [fixed: after commit b98a59b42ded9f9e51b2560410106207c2152d6c]

References

https://www.openwall.com/lists/oss-security/2018/09/07/1

x_refsource_MISC

https://github.com/DCIT/perl-Crypt-JWT/commit/b98a59b42de...

x_refsource_MISC

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jul 17, 2019
Vulnerability Reserved
Mar 20, 2019