RubyGems package
json-jwt
pkg:gem/json-jwt
Vulnerabilities (3)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2023-51774 | — | >= 1.16.0, < 1.16.6 | 1.16.6 | Dec 25, 2023 | The json-jwt (aka JSON::JWT) gem 1.16.3 for Ruby sometimes allows bypass of identity checks via a sign/encryption confusion attack. For example, JWE can sometimes be used to bypass JSON::JWT.decode. | ||
| CVE-2019-18848 | — | < 1.11.0 | 1.11.0 | Nov 12, 2019 | The json-jwt gem before 1.11.0 for Ruby lacks an element count during the splitting of a JWE string. | ||
| CVE-2018-1000539 | — | >= 0.5.1, < 1.9.4 | 1.9.4 | Jun 26, 2018 | Nov json-jwt version >= 0.5.0 && < 1.9.4 contains a CWE-347: Improper Verification of Cryptographic Signature vulnerability in Decryption of AES-GCM encrypted JSON Web Tokens that can result in Attacker can forge a authentication tag. This attack appear to be exploitable via netw |
- CVE-2023-51774Dec 25, 2023affected >= 1.16.0, < 1.16.6fixed 1.16.6
The json-jwt (aka JSON::JWT) gem 1.16.3 for Ruby sometimes allows bypass of identity checks via a sign/encryption confusion attack. For example, JWE can sometimes be used to bypass JSON::JWT.decode.
- CVE-2019-18848Nov 12, 2019affected < 1.11.0fixed 1.11.0
The json-jwt gem before 1.11.0 for Ruby lacks an element count during the splitting of a JWE string.
- CVE-2018-1000539Jun 26, 2018affected >= 0.5.1, < 1.9.4fixed 1.9.4
Nov json-jwt version >= 0.5.0 && < 1.9.4 contains a CWE-347: Improper Verification of Cryptographic Signature vulnerability in Decryption of AES-GCM encrypted JSON Web Tokens that can result in Attacker can forge a authentication tag. This attack appear to be exploitable via netw