CVE-2021-27884

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2021-27884

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-27884.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2021-27884

Aliases

GHSA-2h3h-vw8r-82rp

Published

2021-03-01T23:15:13.267Z

Modified

2026-04-10T04:30:44.996575Z

Severity

5.1 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

Weak JSON Web Token (JWT) signing secret generation in YMFE YApi through 1.9.2 allows recreation of other users' JWT tokens. This occurs because Math.random in Node.js is used.

References

Affected packages

Git / github.com/ymfe/yapi

Affected ranges

Type

GIT

Repo

https://github.com/ymfe/yapi

Events

Introduced

Last affected

ff13353e2fd6e2c37908427dd2e6d287ef8d28ec

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.9.2"
        }
    ]
}

Affected versions

v1.*

v1.3.1

v1.3.10

v1.3.11

v1.3.12

v1.3.13

v1.3.14

v1.3.5

v1.3.6

v1.3.7

v1.3.9

v1.4.3

v1.4.4

v1.5.0

v1.5.1

v1.5.10

v1.5.11

v1.5.12

v1.5.13

v1.5.2

v1.5.3

v1.5.4

v1.5.5

v1.5.6

v1.5.7

v1.7.0

v1.7.0-beta.0

v1.7.0-beta.1

v1.7.1

v1.7.2

v1.8.0

v1.8.1

v1.8.2

v1.8.3

v1.8.4

v1.8.5

v1.8.7

v1.8.8

v1.9.0

v1.9.1

v1.9.2

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-27884.json"