Vulmon
Recent Vulnerabilities
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
jwt project jwt vulnerabilities and exploits
(subscribe to this query)
5
CVSSv2
CVE-2016-7037
The verify function in Encryption/Symmetric.php in Malcolm Fell jwt prior to 1.0.3 does not use a timing-safe function for hash comparison, which allows malicious users to spoof signatures via a timing attack.
Jwt Project Jwt
2.1
CVSSv2
CVE-2021-41106
JWT is a library to work with JSON Web Token and JSON Web Signature. Prior to versions 3.4.6, 4.0.4, and 4.1.5, users of HMAC-based algorithms (HS256, HS384, and HS512) combined with `Lcobucci\JWT\Signer\Key\LocalFileReference` as key are having their tokens issued/validated usin...
Jwt Project Jwt
NA
CVE-2022-39227
python-jwt is a module for generating and verifying JSON Web Tokens. Versions before 3.3.4 are subject to Authentication Bypass by Spoofing, resulting in identity spoofing, session hijacking or authentication bypass. An attacker who obtains a JWT can arbitrarily forge its content...
Python-jwt Project Python-jwt
3 Github repositories
5
CVSSv2
CVE-2018-1000539
Nov json-jwt version >= 0.5.0 && < 1.9.4 contains a CWE-347: Improper Verification of Cryptographic Signature vulnerability in Decryption of AES-GCM encrypted JSON Web Tokens that can result in Attacker can forge a authentication tag. This attack appear to be exploi...
Json-jwt Project Json-jwt
1 Github repository
5
CVSSv2
CVE-2017-18239
A time-sensitive equality check on the JWT signature in the JsonWebToken.validate method in main/scala/authentikat/jwt/JsonWebToken.scala in authentikat-jwt (aka com.jason-goodwin/authentikat-jwt) version 0.4.5 and previous versions allows the supplier of a JWT token to guess bit...
Authentikat-jwt Project Authentikat-jwt
4
CVSSv2
CVE-2016-10555
Since "algorithm" isn't enforced in jwt.decode()in jwt-simple 0.3.0 and previous versions, a malicious user could choose what algorithm is sent sent to the server. If the server is expecting RSA but is sent HMAC-SHA with RSA's public key, the server will think...
Jwt-simple Project Jwt-simple
6 Github repositories
5
CVSSv2
CVE-2020-26160
jwt-go prior to 4.0.0-preview1 allows malicious users to bypass intended access restrictions in situations with []string{} for m["aud"] (which is allowed by the specification). Because the type assertion fails, "" is the value of aud. This is a security proble...
Jwt-go Project Jwt-go
3 Github repositories
5
CVSSv2
CVE-2021-24998
The Simple JWT Login WordPress plugin prior to 3.3.0 can be used to create new WordPress user accounts with a randomly generated password. The password is generated using the str_shuffle PHP function that "does not generate cryptographically secure values, and should not be ...
Simple Jwt Login Project Simple Jwt Login
7.5
CVSSv2
CVE-2019-1010161
perl-CRYPT-JWT 0.022 and previous versions is affected by: Incorrect Access Control. The impact is: bypass authentication. The component is: JWT.pm for JWT security token, line 614 in _decode_jws(). The attack vector is: network connectivity(crafting user-controlled input to bypa...
Perl-crypt-jwt Project Perl-crypt-jwt
6.8
CVSSv2
CVE-2021-24804
The Simple JWT Login WordPress plugin prior to 3.2.1 does not have nonce checks when saving its settings, allowing malicious users to make a logged in admin changed them. Settings such as HMAC verification secret, account registering and default user roles can be updated, which c...
Simple Jwt Login Project Simple Jwt Login
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
encryption
CVE-2024-4331
CVE-2024-26925
arbitrary code
CVE-2006-4304
CVE-2024-25458
CVE-2024-27077
reflected XSS
CVE-2024-4059
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started
1
2
3
NEXT »