Published: 26/06/2018 Updated: 02/09/2018

CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10

CVSS v3 Base Score: 5.3 | Impact Score: 1.4 | Exploitability Score: 3.9

VMScore: 445

Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N

Nov json-jwt version >= 0.5.0 && < 1.9.4 contains a CWE-347: Improper Verification of Cryptographic Signature vulnerability in Decryption of AES-GCM encrypted JSON Web Tokens that can result in Attacker can forge a authentication tag. This attack appear to be exploitable via network connectivity. This vulnerability appears to have been fixed in 1.9.4 and later.

Vulnerable Product	Search on Vulmon	Subscribe to Product
json-jwt project json-jwt

Debian Bug report logs - #902721 CVE-2018-1000539 Package: ruby-json-jwt; Maintainer for ruby-json-jwt is Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@listsaliothdebianorg>; Source for ruby-json-jwt is src:ruby-json-jwt (PTS, buildd, popcon) Reported by: Moritz Muehlenhoff <jmm@debianorg> Date: Fri ...

Uses the Debian Security Announcements (DSA) and Ubuntu Security Notices (USN) to generate a list of Debian/Ubuntu errata.

This Debian/Ubuntu errata_parser can use the "Debian Security Announcements (DSA)" and "Ubuntu Security Notices (USN)" to generate YAML files containing up to date Debian or Ubuntu erratum information It is designed to be used in conjunction with the accompanying errata_server project (githubcom/ATIX-AG/errata_server), to provide a Debian/Ubuntu er

CWE-347 https://github.com/nov/json-jwt/pull/62 https://www.debian.org/security/2018/dsa-4283 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=902721 https://nvd.nist.gov https://github.com/ATIX-AG/errata_parser

CVE-2018-1000539

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

Github Repositories

References

Vulmon Search

About

Products

Connect