graphql-engine (aka Hasura GraphQL Engine) before 1.0.0-beta.3 mishandles the audience check while verifying JWT.
{
"source": [
"CPE_RANGE",
"CPE_STRING",
"REFERENCES"
],
"cpe": [
"cpe:2.3:a:hasura:graphql_engine:*:*:*:*:*:*:*:*",
"cpe:2.3:a:hasura:graphql_engine:1.0.0:-:*:*:*:*:*:*",
"cpe:2.3:a:hasura:graphql_engine:1.0.0:beta.1:*:*:*:*:*:*",
"cpe:2.3:a:hasura:graphql_engine:1.0.0:beta.2:*:*:*:*:*:*"
],
"extracted_events": [
{
"introduced": "0"
},
{
"fixed": "1.0.0"
},
{
"introduced": "1.0.0-NA"
},
{
"last_affected": "1.0.0-NA"
},
{
"introduced": "1.0.0-beta\\.1"
},
{
"last_affected": "1.0.0-beta\\.1"
},
{
"introduced": "1.0.0-beta\\.2"
},
{
"last_affected": "1.0.0-beta\\.2"
}
]
}