GHSA-2h3h-vw8r-82rp

Source

https://github.com/advisories/GHSA-2h3h-vw8r-82rp

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-2h3h-vw8r-82rp/GHSA-2h3h-vw8r-82rp.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-2h3h-vw8r-82rp

Aliases

CVE-2021-27884

Published

2021-03-26T16:49:26Z

Modified

2023-11-08T04:05:25.888063Z

Severity

5.1 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator

Summary

Weak JSON Web Token in yapi-vendor

Details

Weak JSON Web Token (JWT) signing secret generation in YMFE YApi through 1.9.2 allows recreation of other users' JWT tokens. This occurs because Math.random in Node.js is used as a source of randomness in jwt signing. Math.random does not provide cryptographically secure random numbers. This has been patched in version 1.9.3.

Database specific

{
    "nvd_published_at": "2021-03-01T23:15:00Z",
    "github_reviewed_at": "2021-03-26T16:48:44Z",
    "severity": "MODERATE",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-330"
    ]
}

References

Affected packages

npm / yapi-vendor

Package

Name: yapi-vendor; View open source insights on deps.dev
Purl: pkg:npm/yapi-vendor

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.9.3

Database specific

{
    "last_known_affected_version_range": "<= 1.9.2"
}