CVE-2021-4314

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2021-4314

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-4314.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2021-4314

Published

2023-01-18T16:15:11.130Z

Modified

2026-03-14T11:15:54.235381Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator

Summary

[none]

Details

It is possible to manipulate the JWT token without the knowledge of the JWT secret and authenticate without valid JWT token as any user. This is happening only in the situation when zOSMF doesn’t have the APAR PH12143 applied. This issue affects: 1.16 versions to 1.19. What happens is that the services using the ZAAS client or the API ML API to query will be deceived into believing the information in the JWT token is valid when it isn’t. It’s possible to use this to persuade the southbound service that different user is authenticated.

References

https://github.com/zowe/api-layer/

Affected packages

Git / github.com/zowe/api-layer

Affected ranges

Type

GIT

Repo

https://github.com/zowe/api-layer

Events

Introduced

66a791de87e42717282d82616ddb09ba1442e7cd

Fixed

0473ec7b2c3e9c48bef839bc99569a199e6ad19d

Database specific

{
    "versions": [
        {
            "introduced": "1.16.0"
        },
        {
            "fixed": "1.19.0"
        }
    ]
}

Affected versions

Zowe_1.*

Zowe_1.16.0

Zowe_1.17.0

Zowe_1.18.0

v1.*

v1.16.0

v1.17.0

v1.17.1

v1.18.0

v1.18.1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-4314.json"