CVSS: 3.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-51744 – Bad documentation of error handling in ParseWithClaims can lead to potentially dangerous situations in golang-jwt
https://notcve.org/view.php?id=CVE-2024-51744
04 Nov 2024 — golang-jwt is a Go implementation of JSON Web Tokens. Unclear documentation of the error behavior in `ParseWithClaims` can lead to situation where users are potentially not checking errors in the way they should be. Especially, if a token is both expired and invalid, the errors returned by `ParseWithClaims` return both error codes. If users only check for the `jwt.ErrTokenExpired ` using `error.Is`, they will ignore the embedded `jwt.ErrTokenSignatureInvalid` and thus potentially accept invalid tokens. A fi... • https://github.com/golang-jwt/jwt/commit/7b1c1c00a171c6c79bbdb40e4ce7d197060c1c2c • CWE-755: Improper Handling of Exceptional Conditions •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2016-7037
https://notcve.org/view.php?id=CVE-2016-7037
23 Jan 2017 — The verify function in Encryption/Symmetric.php in Malcolm Fell jwt before 1.0.3 does not use a timing-safe function for hash comparison, which allows attackers to spoof signatures via a timing attack. La función de verificación en Encryption/Symmetric.php en Malcolm Fell jwt en versiones anteriores a 1.0.3 no utiliza una función segura de temporización para la comparación de hash, lo que permite a los atacantes suplantar firmas a través de un ataque de temporización. • http://www.securityfocus.com/bid/95847 • CWE-361: 7PK - Time and State •
CVSS: 7.5EPSS: 1%CPEs: 1EXPL: 0CVE-2015-2951
https://notcve.org/view.php?id=CVE-2015-2951
05 Jun 2015 — JWT.php in F21 JWT before 2.0 allows remote attackers to bypass signature verification via crafted tokens. JWT.php en F21 JWT anterior a 2.0 permite a atacantes remotos evadir la verificación de firmas a través de tokens manipulados. • http://jvn.jp/en/jp/JVN06120222/index.html • CWE-20: Improper Input Validation •