CVE-2022-25898

Sažetak

The package jsrsasign before 10.5.25 are vulnerable to Improper Verification of Cryptographic Signature when JWS or JWT signature with non Base64URL encoding special characters or number escaped characters may be validated as valid by mistake. Workaround: Validate JWS or JWT signature if it has Base64URL and dot safe string before executing JWS.verify() or JWS.verifyJWT() method.

Reference

https://github.com/kjur/jsrsasign/releases/tag/10.5.25
https://snyk.io/vuln/SNYK-JS-JSRSASIGN-2869122
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-2935898
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2935896
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBKJUR-2935897
https://github.com/kjur/jsrsasign/commit/4536a6e9e8bcf1a644ab7c07ed96e453347dae41

CVSS

Base:	7.5
Impact:	6.4
Exploitability:	10.0

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
PARTIAL	PARTIAL	PARTIAL

CVSS vektor

AV:N/AC:L/Au:N/C:P/I:P/A:P

Zadnje važnije ažuriranje

13-07-2022 - 19:01

Objavljeno

01-07-2022 - 20:15