Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Authorization bypass in express-jwt
Vulnerability Description
In express-jwt (NPM package) up and including version 5.3.3, the algorithms entry to be specified in the configuration is not being enforced. When algorithms is not specified in the configuration, with the combination of jwks-rsa, it may lead to authorization bypass. You are affected by this vulnerability if all of the following conditions apply: - You are using express-jwt - You do not have **algorithms** configured in your express-jwt configuration. - You are using libraries such as jwks-rsa as the **secret**. You can fix this by specifying **algorithms** in the express-jwt configuration. See linked GHSA for example. This is also fixed in version 6.0.0.
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
Vulnerability Type
授权机制不恰当
Vulnerability Title
Auth0 express-jwt 授权问题漏洞
Vulnerability Description
Auth0 express-jwt是美国Auth0公司的一款支持通过jsonwebtoken模块验证JWT(JSON Web令牌)的软件包。 Auth0 express-jwt 5.3.3及之前版本(NPM软件包)中存在授权问题漏洞。攻击者可借助特制请求利用该漏洞绕过授权。
CVSS Information
N/A
Vulnerability Type
N/A