CVE-2021-4314 : It is possible to manipulate the JWT token without the knowledge of the JWT secr

It is possible to manipulate the JWT token without the knowledge of the JWT secret and authenticate without valid JWT token as any user. This is happening only in the situation when zOSMF doesn’t have the APAR PH12143 applied. This issue affects: 1.16 versions to 1.19. What happens is that the services using the ZAAS client or the API ML API to query will be deceived into believing the information in the JWT token is valid when it isn’t. It’s possible to use this to persuade the southbound service that different user is authenticated.

Published 2023-01-18 16:15:11

Updated 2025-04-03 20:15:16

Source Zowe

View at NVD, CVE.org

Products affected by CVE-2021-4314

Linuxfoundation » Zowe Api Mediation Layer
Versions from including (>=) 1.16.0 and before (<) 1.19.0
cpe:2.3:a:linuxfoundation:zowe_api_mediation_layer:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2021-4314

EPSS FAQ

0.06%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 16 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2021-4314

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
5.3	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N	3.9	1.4	134c704f-9b21-4f2e-91b3-4a467353bcc0	2025-04-03
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: Low Availability: None
5.3	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N	3.9	1.4	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: Low Availability: None

CWE ids for CVE-2021-4314

CWE-269 Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Assigned by:
- 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)
- zowe-security@lists.openmainframeproject.org (Secondary)
CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Assigned by:
- 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)
- nvd@nist.gov (Primary)

References for CVE-2021-4314

https://github.com/zowe/api-layer/

GitHub - zowe/api-layer: The API Mediation Layer provides a single point of access for mainframe service REST APIs.
Product

Jump to

Vulnerability Details : CVE-2021-4314

Products affected by CVE-2021-4314

Exploit prediction scoring system (EPSS) score for CVE-2021-4314

CVSS scores for CVE-2021-4314

CWE ids for CVE-2021-4314

References for CVE-2021-4314