Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:npm/jsonwebtoken@4.2.2
Typenpm
Namespace
Namejsonwebtoken
Version4.2.2
Qualifiers
Subpath
Is_vulnerablefalse
Next_non_vulnerable_versionnull
Latest_non_vulnerable_versionnull
Affected_by_vulnerabilities
Fixing_vulnerabilities
0
url VCID-54h7-2gp7-1yb9
vulnerability_id VCID-54h7-2gp7-1yb9
summary 
JWT Verification bypass with "none" algorithm
It is possible for an attacker to create his own signed token with any payload he wants and have it considered valid using the "none" algorithm.
references
0
reference_url https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/
reference_id
reference_type
scores
url https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/
1
reference_url https://github.com/auth0/node-jsonwebtoken/commit/1bb584bc382295eeb7ee8c4452a673a77a68b687
reference_id
reference_type
scores
url https://github.com/auth0/node-jsonwebtoken/commit/1bb584bc382295eeb7ee8c4452a673a77a68b687
2
reference_url https://www.timmclean.net/2015/02/25/jwt-alg-none.html
reference_id
reference_type
scores
url https://www.timmclean.net/2015/02/25/jwt-alg-none.html
fixed_packages
0
url pkg:npm/jsonwebtoken@4.2.2
purl pkg:npm/jsonwebtoken@4.2.2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/jsonwebtoken@4.2.2
aliases GMS-2015-4
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-54h7-2gp7-1yb9
1
url VCID-5n9u-avux-mbhx
vulnerability_id VCID-5n9u-avux-mbhx
summary 
Use of a Broken or Risky Cryptographic Algorithm
In jsonwebtoken node module before 4.2.2 it is possible for an attacker to bypass verification when a token digitally signed with an asymmetric key (RS/ES family) of algorithms but instead the attacker send a token digitally signed with a symmetric algorithm (HS* family).
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2015-9235.json
reference_id
reference_type
scores
0
value 7.3
scoring_system cvssv3
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2015-9235.json
1
reference_url https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries
reference_id
reference_type
scores
0
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries
2
reference_url https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/
reference_id
reference_type
scores
url https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/
3
reference_url https://github.com/auth0/node-jsonwebtoken/commit/1bb584bc382295eeb7ee8c4452a673a77a68b687
reference_id
reference_type
scores
0
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/auth0/node-jsonwebtoken/commit/1bb584bc382295eeb7ee8c4452a673a77a68b687
4
reference_url https://nodesecurity.io/advisories/17
reference_id
reference_type
scores
url https://nodesecurity.io/advisories/17
5
reference_url https://www.npmjs.com/advisories/17
reference_id
reference_type
scores
0
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://www.npmjs.com/advisories/17
6
reference_url https://www.timmclean.net/2015/02/25/jwt-alg-none.html
reference_id
reference_type
scores
0
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://www.timmclean.net/2015/02/25/jwt-alg-none.html
7
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1584880
reference_id 1584880
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1584880
8
reference_url https://nvd.nist.gov/vuln/detail/CVE-2015-9235
reference_id CVE-2015-9235
reference_type
scores
0
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2015-9235
9
reference_url https://github.com/advisories/GHSA-c7hr-j4mj-j2w6
reference_id GHSA-c7hr-j4mj-j2w6
reference_type
scores
0
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/advisories/GHSA-c7hr-j4mj-j2w6
fixed_packages
0
url pkg:npm/jsonwebtoken@4.2.2
purl pkg:npm/jsonwebtoken@4.2.2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/jsonwebtoken@4.2.2
aliases CVE-2015-9235, GHSA-c7hr-j4mj-j2w6
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-5n9u-avux-mbhx
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:npm/jsonwebtoken@4.2.2