← back
CVE-2021-32631

JSON Web Tokens not properly verified

CVSS 6.5 MEDIUMEPSS 1.1%CWE-290
Vexday Risk Score
13Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 6.5EPSS 1.1%KEV nãoPoC Patch
Lifecycle
26 Jul 2021Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
Common is a package of common modules that can be accessed by NIMBLE services. Common before commit number 3b96cb0293d3443b870351945f41d7d55cb34b53 did not properly verify the signature of JSON Web Tokens. This allows someone to forge a valid JWT. Being able to forge JWTs may lead to authentication bypasses. Commit number 3b96cb0293d3443b870351945f41d7d55cb34b53 contains a patch for the issue. As a workaround, one may use the parseClaimsJws method to correctly verify the signature of a JWT.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Affected products
nimble-platform · common

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/nimble-platform/common/commit/12197a755bd524559bf4e16475595a2c6fcd34dbhttps://github.com/nimble-platform/common/commit/3b96cb0293d3443b870351945f41d7d55cb34b53https://github.com/nimble-platform/common/commit/a59ad46733912a5580530e39cac0e6ebc83cc563https://github.com/nimble-platform/common/security/advisories/GHSA-fjq8-896w-pv28