CVE-2016-10555
Last modified
CVE-2016-10555 is a vulnerability of currently unknown severity. Since "algorithm" isn't enforced in jwt.decode()in jwt-simple 0.3.0 and earlier, a malicious user could choose what algorithm is sent sent to the server. If the server is expecting RSA but is sent HMAC-SHA with RSA's public key, the server will think the public key is actually an HMAC private key. EPSS estimates a 4.90% chance of exploitation in the next 30 days.
Description
Since "algorithm" isn't enforced in jwt.decode()in jwt-simple 0.3.0 and earlier, a malicious user could choose what algorithm is sent sent to the server. If the server is expecting RSA but is sent HMAC-SHA with RSA's public key, the server will think the public key is actually an HMAC private key. This could be used to forge any data an attacker wants.
Metrics
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Jwt-Simple Project | Jwt-Simple | <= 0.3.0 |
References
- https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/Broken Link, Third Party Advisory
- https://github.com/hokaccha/node-jwt-simple/pull/14Issue Tracking, Third Party Advisory
- https://github.com/hokaccha/node-jwt-simple/pull/16Issue Tracking, Third Party Advisory
- https://nodesecurity.io/advisories/87Third Party Advisory
- https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/Broken Link, Third Party Advisory
- https://github.com/hokaccha/node-jwt-simple/pull/14Issue Tracking, Third Party Advisory
- https://github.com/hokaccha/node-jwt-simple/pull/16Issue Tracking, Third Party Advisory
- https://nodesecurity.io/advisories/87Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2016-10555?
How severe is CVE-2016-10555?
How do I fix CVE-2016-10555?
Are you affected by CVE-2016-10555?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST