CVE-2021-27884

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2021-27884

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-27884.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2021-27884

Aliases

GHSA-2h3h-vw8r-82rp

Published

2021-03-01T23:15:13Z

Modified

2024-11-21T05:58:41Z

Severity

5.1 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

Weak JSON Web Token (JWT) signing secret generation in YMFE YApi through 1.9.2 allows recreation of other users' JWT tokens. This occurs because Math.random in Node.js is used.

References

https://securitylab.github.com/advisories/GHSL-2020-228-YMFE-yapi
https://github.com/YMFE/yapi/issues/2117

Affected packages

Git / github.com/ymfe/yapi

Affected ranges

Type: GIT
Repo: https://github.com/ymfe/yapi
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

ff13353e2fd6e2c37908427dd2e6d287ef8d28ec