cvelist/2018/1000xxx/CVE-2018-1000125.json

{"data_version":"4.0","references":{"reference_data":[{"url":"https://github.com/inversoft/prime-jwt/issues/2"},{"url":"https://github.com/inversoft/prime-jwt/blob/master/CHANGES"}]},"description":{"description_data":[{"lang":"eng","value":"inversoft prime-jwt version prior to version 1.3.0 or prior to commit 0d94dcef0133d699f21d217e922564adbb83a227 contains an input validation vulnerability in JWTDecoder.decode that can result in a JWT that is decoded and thus implicitly validated even if it lacks a valid signature. This attack appear to be exploitable via an attacker crafting a token with a valid header and body and then requests it to be validated. This vulnerability appears to have been fixed in 1.3.0 and later or after commit 0d94dcef0133d699f21d217e922564adbb83a227."}]},"data_type":"CVE","affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"version":{"version_data":[{"version_value":"prior to version 1.3.0 or prior to commit 0d94dcef0133d699f21d217e922564adbb83a227"}]},"product_name":"prime-jwt"}]},"vendor_name":"inversoft"}]}},"CVE_data_meta":{"DATE_ASSIGNED":"3/1/2018 18:13:33","ID":"CVE-2018-1000125","ASSIGNER":"kurt@seifried.org","REQUESTER":"daniel@inversoft.com"},"data_format":"MITRE","problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-20"}]}]}}