漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
漏洞
Authorization bypass in express-jwt
漏洞信息
In express-jwt (NPM package) up and including version 5.3.3, the algorithms entry to be specified in the configuration is not being enforced. When algorithms is not specified in the configuration, with the combination of jwks-rsa, it may lead to authorization bypass. You are affected by this vulnerability if all of the following conditions apply: - You are using express-jwt - You do not have **algorithms** configured in your express-jwt configuration. - You are using libraries such as jwks-rsa as the **secret**. You can fix this by specifying **algorithms** in the express-jwt configuration. See linked GHSA for example. This is also fixed in version 6.0.0.
漏洞信息
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
漏洞
授权机制不恰当
漏洞
Auth0 express-jwt 授权问题漏洞
漏洞信息
Auth0 express-jwt是美国Auth0公司的一款支持通过jsonwebtoken模块验证JWT(JSON Web令牌)的软件包。 Auth0 express-jwt 5.3.3及之前版本(NPM软件包)中存在授权问题漏洞。攻击者可借助特制请求利用该漏洞绕过授权。
漏洞信息
N/A
漏洞
N/A