CVE-2022-23539

{"id": "CVE-2022-23539", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 4.2, "exploitabilityScore": 1.6}]}, "published": "2022-12-23T00:15:12.347", "references": [{"url": "https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-8cf7-32gw-wr33", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://security.netapp.com/advisory/ntap-20240621-0007/", "source": "security-advisories@github.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-327"}]}], "descriptions": [{"lang": "en", "value": "Versions `<=8.5.1` of `jsonwebtoken` library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm. You are affected if you are using an algorithm and a key type other than a combination listed in the GitHub Security Advisory as unaffected. This issue has been fixed, please update to version 9.0.0. This version validates for asymmetric key type and algorithm combinations. Please refer to the above mentioned algorithm / key type combinations for the valid secure configuration. After updating to version 9.0.0, if you still intend to continue with signing or verifying tokens using invalid key type/algorithm value combinations, you\u2019ll need to set the `allowInvalidAsymmetricKeyTypes` option to `true` in the `sign()` and/or `verify()` functions."}, {"lang": "es", "value": "Las versiones `&lt;=8.5.1` de la librer\u00eda `jsonwebtoken` podr\u00edan estar mal configuradas para que se utilicen tipos de claves heredadas e inseguras para la verificaci\u00f3n de firmas. Por ejemplo, las claves DSA podr\u00edan usarse con el algoritmo RS256. Usted se ver\u00e1 afectado si utiliza un algoritmo y un tipo de clave que no sea una combinaci\u00f3n que figura en GitHub Security Advisory como no afectada. Este problema se ha solucionado; actualice a la versi\u00f3n 9.0.0. Esta versi\u00f3n valida para combinaciones de algoritmos y tipos de claves asim\u00e9tricas. Consulte las combinaciones de algorithm / key type mencionadas anteriormente para conocer la configuraci\u00f3n segura v\u00e1lida. Despu\u00e9s de actualizar a la versi\u00f3n 9.0.0, si a\u00fan tiene la intenci\u00f3n de continuar firmando o verificando tokens utilizando combinaciones de key type/algorithm no v\u00e1lidas, deber\u00e1 configurar la opci\u00f3n `allowInvalidAmetricKeyTypes` en `true` en `sign()`. y/o funciones `verify()`."}], "lastModified": "2024-06-21T19:15:22.683", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:auth0:jsonwebtoken:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "7E5DD3C1-F5DD-4BFD-BCA3-561BC167CB35", "versionEndIncluding": "8.5.1"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}