CVE-2020-28042
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2020-28042
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-28042.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2020-28042
- Aliases
- Published
- 2020-11-02T21:15:31Z
- Modified
- 2024-05-15T01:12:31.720088Z
- Severity
-
- 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
- Summary
- [none]
- Details
-
ServiceStack before 5.9.2 mishandles JWT signature verification unless an application has a custom ValidateToken function that establishes a valid minimum length for a signature.
- References
-
- https://forums.servicestack.net/t/servicestack-v5-9-2-released/8850
- https://www.shielder.it/advisories/servicestack-jwt-signature-verification-bypass/
- https://www.shielder.it/blog/2020/11/re-discovering-a-jwt-authentication-bypass-in-servicestack/
- https://github.com/ServiceStack/ServiceStack/commit/540d4060e877a03ae95343c1a8560a26768585ee
Affected packages
Git / github.com/servicestack/servicestack
Affected ranges
- Type
- GIT
- Repo
- https://github.com/servicestack/servicestack
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
Other
v3-snapshot
v5
v4.*
v4.0.10-sync
v4.0.17
v4.0.18
v4.0.19
v4.0.20
v4.0.21
v4.0.22
v4.0.23
v4.0.24
v4.0.30
v4.0.31
v4.0.32
v4.0.33
v4.0.34
v4.0.35
v4.0.36
v4.0.38
v4.0.40
v4.0.42
v4.0.44
v4.0.46
v4.0.48
v4.0.50
v4.0.52
v4.0.54
v4.0.56
v4.0.58
v4.0.60
v4.0.62
v4.5.0
v4.5.10
v4.5.12
v4.5.14
v4.5.2
v4.5.4
v4.5.6
v4.5.8
v5.*
v5.0.2
v5.1.0
v5.2.0
v5.4
v5.5
v5.6
v5.7
v5.8
v5.9