Insufficient verification of data authenticity in jwcrypto - CVE-2022-3102

 

Insufficient verification of data authenticity in jwcrypto - CVE-2022-3102

Published: September 19, 2022 / Updated: April 8, 2026


Vulnerability identifier: #VU125314
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2022-3102
CWE-ID: CWE-345
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: latchset
Affected software:
jwcrypto

Detailed vulnerability description

The vulnerability allows a remote attacker to bypass authentication or authorization.

The vulnerability exists due to improper token type handling in the JWT validation logic when processing a substituted token. A remote attacker can supply a crafted JWE in place of an expected signed JWS to bypass authentication or authorization.

Exploitation requires that the validating application has access to the private key during token validation and accepts tokens without separating signing and decryption key usage.


How to mitigate CVE-2022-3102

Install security update from vendor's website.

Sources