// For flags

CVE-2021-46743

Firebase PHP-JWT < 6.0.0 - Algorithm Confusion

Severity Score

9.1
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

1
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

In Firebase PHP-JWT before 6.0.0, an algorithm-confusion issue (e.g., RS256 / HS256) exists via the kid (aka Key ID) header, when multiple types of keys are loaded in a key ring. This allows an attacker to forge tokens that validate under the incorrect key. NOTE: this provides a straightforward way to use the PHP-JWT library unsafely, but might not be considered a vulnerability in the library itself.

En Firebase PHP-JWT versiones anteriores a 6.0.0, se presenta un problema de confusión de algoritmos (por ejemplo, RS256 / HS256) por medio del encabezado kid (también se conoce como Key ID), cuando son cargados varios tipos de claves en un llavero. Esto permite a un atacante falsificar tokens que son comprobados bajo la clave incorrecta. NOTA: esto proporciona una forma directa de usar la biblioteca PHP-JWT de forma no segura, pero podría no considerarse una vulnerabilidad en la propia biblioteca

In Firebase PHP-JWT before 6.0.0, an algorithm-confusion issue (e.g., RS256 / HS256) exists via the kid (aka Key ID) header, when multiple types of keys are loaded in a key ring. This allows an attacker to forge tokens that validate under the incorrect key. This may or may not be exploitable in WordPress plugins and themes using the library.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None
Attack Vector
Network
Attack Complexity
Medium
Authentication
None
Confidentiality
Partial
Integrity
Partial
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2022-03-29 CVE Reserved
  • 2022-03-29 CVE Published
  • 2024-08-04 CVE Updated
  • 2024-08-04 First Exploit
  • 2024-11-02 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-843: Access of Resource Using Incompatible Type ('Type Confusion')
CAPEC
References (1)
URL Tag Source
URL Date SRC
https://github.com/firebase/php-jwt/issues/351 2024-08-04
URL Date SRC
URL Date SRC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Google
Search vendor "Google"
 Firebase Php-jwt
Search vendor "Google" for product "Firebase Php-jwt"
 < 6.0.0
Search vendor "Google" for product "Firebase Php-jwt" and version " < 6.0.0"
-
Affected