Critical severityNVD Advisory· Published Mar 29, 2022· Updated Aug 4, 2024
CVE-2021-46743
CVE-2021-46743
Description
In Firebase PHP-JWT before 6.0.0, an algorithm-confusion issue (e.g., RS256 / HS256) exists via the kid (aka Key ID) header, when multiple types of keys are loaded in a key ring. This allows an attacker to forge tokens that validate under the incorrect key. NOTE: this provides a straightforward way to use the PHP-JWT library unsafely, but might not be considered a vulnerability in the library itself.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
firebase/php-jwtPackagist | < 6.0.0 | 6.0.0 |
Affected products
2- Firebase/PHP-JWTdescription
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-8xf4-w7qw-pjjwghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-46743ghsaADVISORY
- github.com/FriendsOfPHP/security-advisories/blob/master/firebase/php-jwt/CVE-2021-46743.yamlghsaWEB
- github.com/firebase/php-jwt/issues/351ghsax_refsource_MISCWEB
- github.com/firebase/php-jwt/releases/tag/v6.0.0ghsaWEB
News mentions
0No linked articles in our index yet.