GHSA-6g3c-2mh5-7q6x

Suggest an improvement
Source
https://github.com/advisories/GHSA-6g3c-2mh5-7q6x
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-6g3c-2mh5-7q6x/GHSA-6g3c-2mh5-7q6x.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-6g3c-2mh5-7q6x
Aliases
Related
Published
2021-04-19T14:56:33Z
Modified
2024-02-16T08:20:14.777827Z
Severity
  • 9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
Summary
Missing validation of JWT signature in `ManyDesigns/Portofino`
Details

Impact

Portofino is an open source web development framework. Portofino before version 5.2.1 did not properly verify the signature of JSON Web Tokens. This allows forging a valid JWT.

Patches

The issue will be patched in the upcoming 5.2.1 release.

For more information

If you have any questions or comments about this advisory: * Open an issue in https://github.com/ManyDesigns/Portofino

Database specific 
{
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-347"
    ],
    "nvd_published_at": "2021-04-16T22:15:00Z",
    "github_reviewed_at": "2021-04-16T22:57:13Z",
    "severity": "CRITICAL"
}
References

Affected packages

Maven / com.manydesigns:portofino-dispatcher

Package

Name
com.manydesigns:portofino-dispatcher
View open source insights on deps.dev
Purl
pkg:maven/com.manydesigns/portofino-dispatcher

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.0.0
Fixed
5.2.1

Affected versions

5.*

5.0.0
5.0.1
5.0.2
5.0.3
5.1.0
5.1.1
5.1.2
5.1.3
5.1.4
5.2.0

Maven / com.manydesigns:portofino-core

Package

Name
com.manydesigns:portofino-core
View open source insights on deps.dev
Purl
pkg:maven/com.manydesigns/portofino-core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.0.0
Fixed
5.2.1

Affected versions

5.*

5.0.0
5.0.1
5.0.2
5.0.3
5.1.0
5.1.1
5.1.2
5.1.3
5.1.4
5.2.0