Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:composer/namshi/jose@1.1.0
Typecomposer
Namespacenamshi
Namejose
Version1.1.0
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version2.2.0
Latest_non_vulnerable_version2.2.0
Affected_by_vulnerabilities
0
url VCID-48zd-34ep-cua1
vulnerability_id VCID-48zd-34ep-cua1
summary 
Improper Authentication
Attackers able to impersonate users.
references
0
reference_url https://github.com/namshi/jose/commit/009f86d6ced000b806b2f602c0b7393060ebb34e
reference_id
reference_type
scores
url https://github.com/namshi/jose/commit/009f86d6ced000b806b2f602c0b7393060ebb34e
fixed_packages
0
url pkg:composer/namshi/jose@1.1.2
purl pkg:composer/namshi/jose@1.1.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-gh79-gw1t-j7ar
1
vulnerability VCID-u53s-286x-1uax
2
vulnerability VCID-vwx5-vvkf-97c1
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/namshi/jose@1.1.2
1
url pkg:composer/namshi/jose@1.2.2
purl pkg:composer/namshi/jose@1.2.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-gh79-gw1t-j7ar
1
vulnerability VCID-u53s-286x-1uax
2
vulnerability VCID-vwx5-vvkf-97c1
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/namshi/jose@1.2.2
2
url pkg:composer/namshi/jose@2.0.3
purl pkg:composer/namshi/jose@2.0.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-gh79-gw1t-j7ar
1
vulnerability VCID-u53s-286x-1uax
2
vulnerability VCID-vwx5-vvkf-97c1
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/namshi/jose@2.0.3
3
url pkg:composer/namshi/jose@2.1.2
purl pkg:composer/namshi/jose@2.1.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-gh79-gw1t-j7ar
1
vulnerability VCID-u53s-286x-1uax
2
vulnerability VCID-vwx5-vvkf-97c1
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/namshi/jose@2.1.2
aliases GMS-2015-70
risk_score null
exploitability 0.5
weighted_severity 0.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-48zd-34ep-cua1
1
url VCID-862b-xqfw-bya5
vulnerability_id VCID-862b-xqfw-bya5
summary 
namshi/jose insecure JSON Web Signatures (JWS)
namshi/jose allows the acceptance of unsecure JSON Web Signatures (JWS) by default. The vulnerability arises from the $allowUnsecure flag, which, when set to true during the loading of JWSes, permits tokens signed with 'none' algorithms to be processed. This behavior poses a significant security risk as it could allow an attacker to impersonate users by crafting a valid jwt token.
references
0
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/namshi/jose/2015-02-19.yaml
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/namshi/jose/2015-02-19.yaml
1
reference_url https://github.com/namshi/jose
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/namshi/jose
2
reference_url https://github.com/namshi/jose/commit/009f86d6ced000b806b2f602c0b7393060ebb34e
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/namshi/jose/commit/009f86d6ced000b806b2f602c0b7393060ebb34e
3
reference_url https://github.com/advisories/GHSA-hxhc-wmg8-xrqf
reference_id GHSA-hxhc-wmg8-xrqf
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-hxhc-wmg8-xrqf
fixed_packages
0
url pkg:composer/namshi/jose@1.1.2
purl pkg:composer/namshi/jose@1.1.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-gh79-gw1t-j7ar
1
vulnerability VCID-u53s-286x-1uax
2
vulnerability VCID-vwx5-vvkf-97c1
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/namshi/jose@1.1.2
1
url pkg:composer/namshi/jose@1.2.2
purl pkg:composer/namshi/jose@1.2.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-gh79-gw1t-j7ar
1
vulnerability VCID-u53s-286x-1uax
2
vulnerability VCID-vwx5-vvkf-97c1
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/namshi/jose@1.2.2
2
url pkg:composer/namshi/jose@2.0.3
purl pkg:composer/namshi/jose@2.0.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-gh79-gw1t-j7ar
1
vulnerability VCID-u53s-286x-1uax
2
vulnerability VCID-vwx5-vvkf-97c1
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/namshi/jose@2.0.3
3
url pkg:composer/namshi/jose@2.1.2
purl pkg:composer/namshi/jose@2.1.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-gh79-gw1t-j7ar
1
vulnerability VCID-u53s-286x-1uax
2
vulnerability VCID-vwx5-vvkf-97c1
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/namshi/jose@2.1.2
aliases GHSA-hxhc-wmg8-xrqf
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-862b-xqfw-bya5
2
url VCID-gh79-gw1t-j7ar
vulnerability_id VCID-gh79-gw1t-j7ar
summary 
Improper Authentication
Critical vulnerabilities in JSON Web Token libraries.
references
0
reference_url https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/
reference_id
reference_type
scores
url https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/
fixed_packages
0
url pkg:composer/namshi/jose@2.2.0
purl pkg:composer/namshi/jose@2.2.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/namshi/jose@2.2.0
aliases GMS-2015-71
risk_score null
exploitability 0.5
weighted_severity 0.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-gh79-gw1t-j7ar
3
url VCID-u53s-286x-1uax
vulnerability_id VCID-u53s-286x-1uax
summary 
JWT Verification bypass with "none" algorithm
It is possible for an attacker to create his own signed token with any payload he wants and have it considered valid using the "none" algorithm.
references
0
reference_url https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/
reference_id
reference_type
scores
url https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/
1
reference_url https://github.com/namshi/jose/commit/127b4415e66d89b1fcfb5a07933db0b5ff5cd636
reference_id
reference_type
scores
url https://github.com/namshi/jose/commit/127b4415e66d89b1fcfb5a07933db0b5ff5cd636
fixed_packages
0
url pkg:composer/namshi/jose@2.1.3
purl pkg:composer/namshi/jose@2.1.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-gh79-gw1t-j7ar
1
vulnerability VCID-vwx5-vvkf-97c1
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/namshi/jose@2.1.3
aliases GMS-2015-5
risk_score null
exploitability 0.5
weighted_severity 0.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-u53s-286x-1uax
4
url VCID-vwx5-vvkf-97c1
vulnerability_id VCID-vwx5-vvkf-97c1
summary 
namshi/jose - Verification bypass
Several widely-used JSON Web Token (JWT) libraries, including node-jsonwebtoken, pyjwt, namshi/jose, php-jwt, and jsjwt, are affected by critical vulnerabilities that could allow attackers to bypass the verification step when using asymmetric keys (RS256, RS384, RS512, ES256, ES384, ES512).
references
0
reference_url https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries
reference_id
reference_type
scores
0
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries
1
reference_url https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries
reference_id
reference_type
scores
0
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries
2
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/namshi/jose/2015-03-10.yaml
reference_id
reference_type
scores
0
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/namshi/jose/2015-03-10.yaml
3
reference_url https://github.com/namshi/jose
reference_id
reference_type
scores
0
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/namshi/jose
4
reference_url https://github.com/advisories/GHSA-4rr6-gf59-ggw5
reference_id GHSA-4rr6-gf59-ggw5
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-4rr6-gf59-ggw5
fixed_packages
0
url pkg:composer/namshi/jose@2.2.0
purl pkg:composer/namshi/jose@2.2.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/namshi/jose@2.2.0
aliases GHSA-4rr6-gf59-ggw5
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-vwx5-vvkf-97c1
Fixing_vulnerabilities
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:composer/namshi/jose@1.1.0