Vulnerability Details : CVE-2022-23540
In versions `<=8.5.1` of `jsonwebtoken` library, lack of algorithm definition in the `jwt.verify()` function can lead to signature validation bypass due to defaulting to the `none` algorithm for signature verification. Users are affected if you do not specify algorithms in the `jwt.verify()` function. This issue has been fixed, please update to version 9.0.0 which removes the default support for the none algorithm in the `jwt.verify()` method. There will be no impact, if you update to version 9.0.0 and you don’t need to allow for the `none` algorithm. If you need 'none' algorithm, you have to explicitly specify that in `jwt.verify()` options.
Products affected by CVE-2022-23540
- cpe:2.3:a:auth0:jsonwebtoken:*:*:*:*:*:node.js:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-23540
0.09%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 41 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-23540
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.6
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L |
2.8
|
4.7
|
NIST | |
6.4
|
MEDIUM | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L |
1.6
|
4.7
|
GitHub, Inc. |
CWE ids for CVE-2022-23540
-
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.Assigned by: security-advisories@github.com (Secondary)
-
The product uses a broken or risky cryptographic algorithm or protocol.Assigned by: nvd@nist.gov (Primary)
-
The product does not verify, or incorrectly verifies, the cryptographic signature for data.Assigned by: nvd@nist.gov (Primary)
References for CVE-2022-23540
-
https://security.netapp.com/advisory/ntap-20240621-0007/
May 2024 IBM Cognos Analytics Vulnerabilities in NetApp Products | NetApp Product Security
-
https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-qwph-4952-7xr6
Insecure default algorithm in jwt.verify() could lead to signature validation bypass · Advisory · auth0/node-jsonwebtoken · GitHubThird Party Advisory
-
https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3
Merge pull request from GHSA-8cf7-32gw-wr33 · auth0/node-jsonwebtoken@e1fa9dc · GitHubPatch
Jump to