CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2019-18848
https://notcve.org/view.php?id=CVE-2019-18848
The json-jwt gem before 1.11.0 for Ruby lacks an element count during the splitting of a JWE string. La gema json-jwt versiones anteriores a 1.11.0 para Ruby, carece de un conteo de elementos durante la división de una cadena JWE. • https://github.com/nov/json-jwt/commit/ada16e772906efdd035e3df49cb2ae372f0f948a https://github.com/nov/json-jwt/compare/v1.10.2...v1.11.0 https://lists.debian.org/debian-lts-announce/2020/10/msg00001.html • CWE-287: Improper Authentication •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2018-1000539
https://notcve.org/view.php?id=CVE-2018-1000539
Nov json-jwt version >= 0.5.0 && < 1.9.4 contains a CWE-347: Improper Verification of Cryptographic Signature vulnerability in Decryption of AES-GCM encrypted JSON Web Tokens that can result in Attacker can forge a authentication tag. This attack appear to be exploitable via network connectivity. This vulnerability appears to have been fixed in 1.9.4 and later. Nov json-jwt, en versiones 0.5.0 hasta la 1.9.4 contiene una vulnerabilidad CWE-347: verificación incorrecta de firmas criptográficas en el descifrado de tokens web JSON cifrados por AES-GCM que puede resultar en que un atacante falsifique una etiqueta de autenticación. Este ataque parece ser explotable mediante conectividad de red. • https://github.com/nov/json-jwt/pull/62 https://www.debian.org/security/2018/dsa-4283 • CWE-347: Improper Verification of Cryptographic Signature •