CVE-2016-10555

CVE-2016-10555

Since "algorithm" isn’t enforced in jwt.decode()in jwt-simple 0.3.0 and earlier, a malicious user could choose what algorithm is sent sent to the server. If the server is expecting RSA but is sent HMAC-SHA with RSA’s public key, the server will think the public key is actually an HMAC private key. This could be used to forge any data an attacker wants.

Source: CVE-2016-10555

답글 남기기

이메일 주소는 공개되지 않습니다. 필수 필드는 *로 표시됩니다