You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
oliver-jung
published
GHSA-fjq8-896w-pv28Jul 26, 2021
Package
No package listed
Affected versions
<3b96cb0
Patched versions
>=3b96cb0
Description
Impact
https://github.com/nimble-platform/common before version 3b96cb0 did not properly verify the signature of JSON Web Tokens.
This allows to forge a valid JWT.
Being able to forge JWTs may lead to authentication bypasses.
Patches
Problem patched on master in version 3b96cb0 and above. Relevant commits are 12197a7 and a59ad46.
Impact
https://github.com/nimble-platform/common before version 3b96cb0 did not properly verify the signature of JSON Web Tokens.
This allows to forge a valid JWT.
Being able to forge JWTs may lead to authentication bypasses.
Patches
Problem patched on master in version 3b96cb0 and above. Relevant commits are 12197a7 and a59ad46.
Workarounds
https://github.com/nimble-platform/common in https://github.com/nimble-platform/common/blob/master/utility/src/main/java/eu/nimble/utility/validation/ValidationUtil.java#L39 uses the parse method to parse the received JWT.
The parse method does not verify the signature of a JWT.
To correctly verify the signature of a JWT, one should use the parseClaimsJws method instead.
References
https://jwt.io/
For more information
If you have any questions or comments about this advisory: