CVSS: 3.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-51744 – Bad documentation of error handling in ParseWithClaims can lead to potentially dangerous situations in golang-jwt
https://notcve.org/view.php?id=CVE-2024-51744
golang-jwt is a Go implementation of JSON Web Tokens. Unclear documentation of the error behavior in `ParseWithClaims` can lead to situation where users are potentially not checking errors in the way they should be. Especially, if a token is both expired and invalid, the errors returned by `ParseWithClaims` return both error codes. If users only check for the `jwt.ErrTokenExpired ` using `error.Is`, they will ignore the embedded `jwt.ErrTokenSignatureInvalid` and thus potentially accept invalid tokens. A fix has been back-ported with the error handling logic from the `v5` branch to the `v4` branch. • https://github.com/golang-jwt/jwt/commit/7b1c1c00a171c6c79bbdb40e4ce7d197060c1c2c https://github.com/golang-jwt/jwt/security/advisories/GHSA-29wx-vh33-7x7r • CWE-755: Improper Handling of Exceptional Conditions •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2016-7037
https://notcve.org/view.php?id=CVE-2016-7037
The verify function in Encryption/Symmetric.php in Malcolm Fell jwt before 1.0.3 does not use a timing-safe function for hash comparison, which allows attackers to spoof signatures via a timing attack. La función de verificación en Encryption/Symmetric.php en Malcolm Fell jwt en versiones anteriores a 1.0.3 no utiliza una función segura de temporización para la comparación de hash, lo que permite a los atacantes suplantar firmas a través de un ataque de temporización. • http://www.securityfocus.com/bid/95847 https://github.com/emarref/jwt/pull/20 https://github.com/emarref/jwt/releases/tag/1.0.3 • CWE-361: 7PK - Time and State •
CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0CVE-2015-2951
https://notcve.org/view.php?id=CVE-2015-2951
JWT.php in F21 JWT before 2.0 allows remote attackers to bypass signature verification via crafted tokens. JWT.php en F21 JWT anterior a 2.0 permite a atacantes remotos evadir la verificación de firmas a través de tokens manipulados. • http://jvn.jp/en/jp/JVN06120222/index.html http://jvndb.jvn.jp/jvndb/JVNDB-2015-000073 http://www.securityfocus.com/bid/75021 https://github.com/F21/jwt/commit/a327cf9052df8f9f97728ca0b5fa78a8231b79b6 • CWE-20: Improper Input Validation •