Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
File reference keys leads to incorrect hashes on HMAC algorithms
Vulnerability Description
JWT is a library to work with JSON Web Token and JSON Web Signature. Prior to versions 3.4.6, 4.0.4, and 4.1.5, users of HMAC-based algorithms (HS256, HS384, and HS512) combined with `Lcobucci\JWT\Signer\Key\LocalFileReference` as key are having their tokens issued/validated using the file path as hashing key - instead of the contents. The HMAC hashing functions take any string as input and, since users can issue and validate tokens, users are lead to believe that everything works properly. Versions 3.4.6, 4.0.4, and 4.1.5 have been patched to always load the file contents, deprecated the `Lcobucci\JWT\Signer\Key\LocalFileReference`, and suggest `Lcobucci\JWT\Signer\Key\InMemory` as the alternative. As a workaround, use `Lcobucci\JWT\Signer\Key\InMemory` instead of `Lcobucci\JWT\Signer\Key\LocalFileReference` to create the instances of one's keys.
CVSS Information
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Vulnerability Type
对数据真实性的验证不充分
Vulnerability Title
Lcobucci jwt 数据伪造问题漏洞
Vulnerability Description
Jwt是一个使用Json Web Token和Json Web Signature的简单库。 Lcobucci jwt 存在数据伪造问题漏洞,该漏洞源于产品中基于hmac算法使用文件路径作为哈希密钥来验证令牌导致未能验证数据的有效性。攻击者可通过伪造的数据发起请求。以下产品及版本受到影响:Lcobucci jwt 3.4.6、Lcobucci jwt 4.0.4 及 Lcobucci jwt 4.1.5 之前版本。
CVSS Information
N/A
Vulnerability Type
N/A