JWS and JWT signature validation vulnerability with special characters
- Severity:
- High
Description
Jsrsasign supports JWS(JSON Web Signatures) and JWT(JSON Web Token) validation. However JWS or JWT signature with non Base64URL encoding special characters or number escaped characters may be validated as valid by mistake.
Recommendation
Update the jsrsasign package to the latest compatible version. Followings are version details:
- Affected version(s): >= 4.8.0, < 10.5.25
- Patched version(s): 10.5.25
References
Related Issues
- ECDSA signature validation vulnerability by accepting wrong ASN.1 encoding in jsrsasign - CVE-2020-14966
- RSA signature validation vulnerability on maleable encoded message in jsrsasign - CVE-2021-30246
- RSA-PSS signature validation vulnerability by prepending zeros in jsrsasign - CVE-2020-14968
- Cisco node-jose improper validation of JWT signature - CVE-2018-0114
- Tags:
- npm
- jsrsasign
Anything's wrong? Let us know Last updated on January 27, 2023