You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In Firebase PHP-JWT before 6.0.0, an algorithm-confusion issue (e.g., RS256 / HS256) exists via the kid (aka Key ID) header, when multiple types of keys are loaded in a key ring. This allows an attacker to forge tokens that validate under the incorrect key. NOTE: this provides a straightforward way to use the PHP-JWT library unsafely, but might not be considered a vulnerability in the library itself.
mend-for-github-combot
changed the title
firebase/php-jwt-v5.5.1: 1 vulnerabilities (highest severity is: 9.1)
firebase/php-jwt-v5.5.1: 1 vulnerabilities (highest severity is: 9.1) - autoclosed
Nov 9, 2022
✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
A simple library to encode and decode JSON Web Tokens (JWT) in PHP. Should conform to the current spec.
Library home page: https://api.github.com/repos/firebase/php-jwt/zipball/83b609028194aa042ea33b5af2d41a7427de80e6
Found in HEAD commit: 1493c01d5435adf3cd4c1902d1963d0e40922821
Vulnerabilities
Details
Vulnerable Library - firebase/php-jwt-v5.5.1
A simple library to encode and decode JSON Web Tokens (JWT) in PHP. Should conform to the current spec.
Library home page: https://api.github.com/repos/firebase/php-jwt/zipball/83b609028194aa042ea33b5af2d41a7427de80e6
Dependency Hierarchy:
Found in HEAD commit: 1493c01d5435adf3cd4c1902d1963d0e40922821
Found in base branch: main
Vulnerability Details
In Firebase PHP-JWT before 6.0.0, an algorithm-confusion issue (e.g., RS256 / HS256) exists via the kid (aka Key ID) header, when multiple types of keys are loaded in a key ring. This allows an attacker to forge tokens that validate under the incorrect key. NOTE: this provides a straightforward way to use the PHP-JWT library unsafely, but might not be considered a vulnerability in the library itself.
Publish Date: 2022-03-29
URL: CVE-2021-46743
CVSS 3 Score Details (9.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-46743
Release Date: 2022-03-29
Fix Resolution: v6.0.0
The text was updated successfully, but these errors were encountered: