Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
OliveTin: JWT Audience Validation Bypass in Local Key and HMAC Modes
Vulnerability Description
OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.1, when JWT authentication is configured using either "authJwtPubKeyPath" (local RSA public key) or "authJwtHmacSecret" (HMAC secret), the configured audience value (authJwtAud) is not enforced during token parsing. As a result, validly signed JWT tokens with an incorrect aud claim are accepted for authentication. This allows authentication using tokens intended for a different audience/service. This issue has been patched in version 3000.11.1.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Vulnerability Type
认证机制不恰当
Vulnerability Title
OliveTin 数据伪造问题漏洞
Vulnerability Description
OliveTin是OliveTin开源的一个Web应用。 OliveTin 3000.11.1之前版本存在数据伪造问题漏洞,该漏洞源于配置JWT身份验证时未强制执行受众值,可能导致使用针对不同受众的令牌进行身份验证。
CVSS Information
N/A
Vulnerability Type
N/A