Impact
What kind of vulnerability is it? Who is impacted?,
https://github.com/grassrootza/grassroot-platform before master deployment as of 2021-04-16 did not properly verify the signature of JSON Web Tokens when refreshing an existing JWT.
This allows to forge a valid JWT.
Patches
Has the problem been patched? What versions should users upgrade to?
The problem has been patched by deprecating the JWT refresh function, which was an overdue deprecation regardless (the "refresh" flow is no longer used).
For more information
If you have any questions or comments about this advisory:
intrigus-lgtm Analyst
Impact
What kind of vulnerability is it? Who is impacted?,
https://github.com/grassrootza/grassroot-platform before master deployment as of 2021-04-16 did not properly verify the signature of JSON Web Tokens when refreshing an existing JWT.
This allows to forge a valid JWT.
Patches
Has the problem been patched? What versions should users upgrade to?
The problem has been patched by deprecating the JWT refresh function, which was an overdue deprecation regardless (the "refresh" flow is no longer used).
For more information
If you have any questions or comments about this advisory: