Main Vulnerability Database Vulnerabilities #VU125314

Insufficient verification of data authenticity in jwcrypto - CVE-2022-3102

Published: September 19, 2022 / Updated: April 8, 2026

Vulnerability identifier: #VU125314

CSH Severity: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2022-3102

CWE-ID: CWE-345

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
jwcrypto

Software vendor:
latchset

Description

The vulnerability allows a remote attacker to bypass authentication or authorization.

The vulnerability exists due to improper token type handling in the JWT validation logic when processing a substituted token. A remote attacker can supply a crafted JWE in place of an expected signed JWS to bypass authentication or authorization.

Exploitation requires that the validating application has access to the private key during token validation and accepts tokens without separating signing and decryption key usage.

Remediation

Install security update from vendor's website.

External links

https://github.com/latchset/jwcrypto/security/advisories/GHSA-gwp4-mcv4-w95j

Insufficient verification of data authenticity in jwcrypto - CVE-2022-3102

Description

Remediation

External links

Please verify you're human