RubyGems package
json-jwt
pkg:gem/json-jwt
Vulnerabilities (3)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2023-51774 | Hig | 8.4 | >= 1.16.0, < 1.16.6 | 1.16.6 | Feb 29, 2024 | The json-jwt (aka JSON::JWT) gem 1.16.3 for Ruby sometimes allows bypass of identity checks via a sign/encryption confusion attack. For example, JWE can sometimes be used to bypass JSON::JWT.decode. | |
| CVE-2019-18848 | Hig | 7.5 | < 1.11.0 | 1.11.0 | Nov 12, 2019 | The json-jwt gem before 1.11.0 for Ruby lacks an element count during the splitting of a JWE string. | |
| CVE-2018-1000539 | Med | 5.3 | >= 0.5.1, < 1.9.4 | 1.9.4 | Jun 26, 2018 | Nov json-jwt version >= 0.5.0 && < 1.9.4 contains a CWE-347: Improper Verification of Cryptographic Signature vulnerability in Decryption of AES-GCM encrypted JSON Web Tokens that can result in Attacker can forge a authentication tag. This attack appear to be exploitable via netw |
- affected >= 1.16.0, < 1.16.6fixed 1.16.6
The json-jwt (aka JSON::JWT) gem 1.16.3 for Ruby sometimes allows bypass of identity checks via a sign/encryption confusion attack. For example, JWE can sometimes be used to bypass JSON::JWT.decode.
- affected < 1.11.0fixed 1.11.0
The json-jwt gem before 1.11.0 for Ruby lacks an element count during the splitting of a JWE string.
- affected >= 0.5.1, < 1.9.4fixed 1.9.4
Nov json-jwt version >= 0.5.0 && < 1.9.4 contains a CWE-347: Improper Verification of Cryptographic Signature vulnerability in Decryption of AES-GCM encrypted JSON Web Tokens that can result in Attacker can forge a authentication tag. This attack appear to be exploitable via netw