Main
Vulnerability Database
Exploits
ID:8921 - Exploit for Information disclosure in node-jose - CVE-2018-0114
ID:8921 - Exploit for Information disclosure in node-jose - CVE-2018-0114
Published: March 17, 2023
Vulnerability identifier: #VU9721
Vulnerability risk: Low
CVE-ID: CVE-2018-0114
CWE-ID: CWE-200
Exploitation vector: Remote access
Vulnerable software:
node-jose
node-jose
Link to public exploit:
Vulnerability description
The vulnerability allows a remote attacker to re-sign tokens using a key that is embedded within the token.
The weakness exists in the node-jose open source library due to node-jose following the JSON Web Signature (JWS) standard for JSON Web Tokens (JWTs). A remote attacker can forge valid JWS objects by removing the original signature, add a new public key to the header and sign the object using the (attacker-owned) private key associated with the public key embedded in that JWS header.
The weakness exists in the node-jose open source library due to node-jose following the JSON Web Signature (JWS) standard for JSON Web Tokens (JWTs). A remote attacker can forge valid JWS objects by removing the original signature, add a new public key to the header and sign the object using the (attacker-owned) private key associated with the public key embedded in that JWS header.
Remediation
Update to version 0.11.0.