Impact
When dp3t-sdk-backend is configured to check a JWT before uploading/publishing keys, it was possible to skip the signature check by providing a JWT token with "alg":"none".
Patches
The issue has been patched in version 1.1.1.
References
For more information
If you have any questions or comments about this advisory:
MrSuicideParrot Analyst
Impact
When dp3t-sdk-backend is configured to check a JWT before uploading/publishing keys, it was possible to skip the signature check by providing a JWT token with
"alg":"none".Patches
The issue has been patched in version 1.1.1.
References
For more information
If you have any questions or comments about this advisory: