Hi,
I’d like to request review/inclusion of the published GitHub Security Advisory for libjwt:
Summary:
libjwt accepted an RSA JWK without an alg parameter as the verification key for HS256/HS384/HS512 tokens. In the OpenSSL backend, this caused HMAC verification to use a zero-length key, allowing an attacker to forge JWTs using only the public JWKS in affected configurations.
The advisory has been published in the repo.
Could the GitHub Advisory Database team please review it for inclusion/indexing in the advisory database?
Thanks.
Hi,
I’d like to request review/inclusion of the published GitHub Security Advisory for libjwt:
Summary:
libjwt accepted an RSA JWK without an
algparameter as the verification key forHS256/HS384/HS512tokens. In the OpenSSL backend, this caused HMAC verification to use a zero-length key, allowing an attacker to forge JWTs using only the public JWKS in affected configurations.The advisory has been published in the repo.
Could the GitHub Advisory Database team please review it for inclusion/indexing in the advisory database?
Thanks.