CVE-2018-1000539
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Nov json-jwt version >= 0.5.0 && < 1.9.4 contains a CWE-347: Improper Verification of Cryptographic Signature vulnerability in Decryption of AES-GCM encrypted JSON Web Tokens that can result in Attacker can forge a authentication tag. This attack appear to be exploitable via network connectivity. This vulnerability appears to have been fixed in 1.9.4 and later.
Nov json-jwt, en versiones 0.5.0 hasta la 1.9.4 contiene una vulnerabilidad CWE-347: verificación incorrecta de firmas criptográficas en el descifrado de tokens web JSON cifrados por AES-GCM que puede resultar en que un atacante falsifique una etiqueta de autenticación. Este ataque parece ser explotable mediante conectividad de red. La vulnerabilidad parece haber sido solucionada en las versiones 1.9.4 y siguientes.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2018-05-01 CVE Reserved
- 2018-06-26 CVE Published
- 2024-05-05 EPSS Updated
- 2024-08-05 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-347: Improper Verification of Cryptographic Signature
CAPEC
References (2)
| URL | Tag | Source |
|---|---|---|
| https://github.com/nov/json-jwt/pull/62 | Third Party Advisory |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://www.debian.org/security/2018/dsa-4283 | 2018-09-02 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Json-jwt Project Search vendor "Json-jwt Project" | Json-jwt Search vendor "Json-jwt Project" for product "Json-jwt" | >= 0.5.0 < 1.9.4 Search vendor "Json-jwt Project" for product "Json-jwt" and version " >= 0.5.0 < 1.9.4" | - |
Affected
| ||||||