Moderate severityNVD Advisory· Published Dec 25, 2023· Updated Aug 26, 2024
CVE-2023-51774
CVE-2023-51774
Description
The json-jwt (aka JSON::JWT) gem 1.16.3 for Ruby sometimes allows bypass of identity checks via a sign/encryption confusion attack. For example, JWE can sometimes be used to bypass JSON::JWT.decode.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
json-jwtRubyGems | >= 1.16.0, < 1.16.6 | 1.16.6 |
json-jwtRubyGems | < 1.15.3.1 | 1.15.3.1 |
Affected products
16- json-jwt/json-jwtdescription
- osv-coords15 versionspkg:apk/chainguard/kube-fluentd-operatorpkg:apk/chainguard/kube-fluentd-operator-compatpkg:apk/chainguard/kube-fluentd-operator-default-configpkg:apk/chainguard/kube-fluentd-operator-oci-entrypointpkg:apk/chainguard/ruby3.2-json-jwtpkg:apk/wolfi/kube-fluentd-operatorpkg:apk/wolfi/kube-fluentd-operator-compatpkg:apk/wolfi/kube-fluentd-operator-default-configpkg:apk/wolfi/kube-fluentd-operator-oci-entrypointpkg:apk/wolfi/ruby3.2-json-jwtpkg:gem/json-jwtpkg:rpm/opensuse/rubygem-aes_key_wrap&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/rubygem-json-jwt&distro=openSUSE%20Leap%2015.5pkg:rpm/suse/rubygem-aes_key_wrap&distro=SUSE%20Package%20Hub%2015%20SP5pkg:rpm/suse/rubygem-json-jwt&distro=SUSE%20Package%20Hub%2015%20SP5
< 1.18.2-r3+ 14 more
- (no CPE)range: < 1.18.2-r3
- (no CPE)range: < 1.18.2-r3
- (no CPE)range: < 1.18.2-r3
- (no CPE)range: < 1.18.2-r3
- (no CPE)range: < 1.16.6-r0
- (no CPE)range: < 1.18.2-r3
- (no CPE)range: < 1.18.2-r3
- (no CPE)range: < 1.18.2-r3
- (no CPE)range: < 1.18.2-r3
- (no CPE)range: < 1.16.6-r0
- (no CPE)range: >= 1.16.0, < 1.16.6
- (no CPE)range: < 1.1.0-bp155.2.1
- (no CPE)range: < 1.16.6-bp155.3.3.1
- (no CPE)range: < 1.1.0-bp155.2.1
- (no CPE)range: < 1.16.6-bp155.3.3.1
Patches
Vulnerability mechanics
References
8- github.com/advisories/GHSA-c8v6-786g-vjx6ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-51774ghsaADVISORY
- github.com/P3ngu1nW/CVE_Request/blob/main/novjson-jwt.mdghsaWEB
- github.com/nov/json-jwt/commit/593ea8bcaf2629048bad8c036191f2da0a2e713cghsaWEB
- github.com/nov/json-jwt/commit/9c4d842a9465bd7960570ca326c3de79b4abc9d0ghsaWEB
- github.com/nov/json-jwt/issues/120ghsaWEB
- github.com/nov/json-jwt/issues/121ghsaWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/json-jwt/CVE-2023-51774.ymlghsaWEB
News mentions
0No linked articles in our index yet.