GHSA-hxhc-wmg8-xrqf

Suggest an improvement
Source
https://github.com/advisories/GHSA-hxhc-wmg8-xrqf
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-hxhc-wmg8-xrqf/GHSA-hxhc-wmg8-xrqf.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-hxhc-wmg8-xrqf
Published
2024-05-17T22:31:42Z
Modified
2024-05-17T22:47:37.820373Z
Summary
namshi/jose insecure JSON Web Signatures (JWS)
Details

namshi/jose allows the acceptance of unsecure JSON Web Signatures (JWS) by default. The vulnerability arises from the $allowUnsecure flag, which, when set to true during the loading of JWSes, permits tokens signed with 'none' algorithms to be processed. This behavior poses a significant security risk as it could allow an attacker to impersonate users by crafting a valid jwt token.

References

Affected packages

Packagist / namshi/jose

Package

Name
namshi/jose
Purl
pkg:composer/namshi/jose

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.1.2

Affected versions

1.*

1.0.0-beta1
1.0.0-rc1
1.0.0
1.0.1
1.0.2
1.1.0
1.1.1

Packagist / namshi/jose

Package

Name
namshi/jose
Purl
pkg:composer/namshi/jose

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.2.0
Fixed
1.2.2

Affected versions

1.*

1.2.0
1.2.1

Packagist / namshi/jose

Package

Name
namshi/jose
Purl
pkg:composer/namshi/jose

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.0.0
Fixed
2.0.3

Affected versions

2.*

2.0.0
2.0.1
2.0.2

Packagist / namshi/jose

Package

Name
namshi/jose
Purl
pkg:composer/namshi/jose

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.1.0
Fixed
2.1.2

Affected versions

2.*

2.1.0
2.1.1