#VU9721 Information disclosure in node-jose - CVE-2018-0114
Published: December 25, 2017 / Updated: March 17, 2023
Vulnerability identifier: #VU9721
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Clear
CVE-ID: CVE-2018-0114
CWE-ID: CWE-200
Exploitation vector: Remote access
Exploit availability:
Public exploit is available
Vulnerable software:
node-jose
node-jose
Software vendor:
GNU
GNU
Description
The vulnerability allows a remote attacker to re-sign tokens using a key that is embedded within the token.
The weakness exists in the node-jose open source library due to node-jose following the JSON Web Signature (JWS) standard for JSON Web Tokens (JWTs). A remote attacker can forge valid JWS objects by removing the original signature, add a new public key to the header and sign the object using the (attacker-owned) private key associated with the public key embedded in that JWS header.
The weakness exists in the node-jose open source library due to node-jose following the JSON Web Signature (JWS) standard for JSON Web Tokens (JWTs). A remote attacker can forge valid JWS objects by removing the original signature, add a new public key to the header and sign the object using the (attacker-owned) private key associated with the public key embedded in that JWS header.
Remediation
Update to version 0.11.0.