{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2022-23539", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2022-01-19T21:23:53.795Z", "datePublished": "2022-12-22T23:20:47.855Z", "dateUpdated": "2025-02-13T16:32:21.041Z"}, "containers": {"cna": {"title": "jsonwebtoken unrestricted key type could lead to legacy keys usage", "problemTypes": [{"descriptions": [{"cweId": "CWE-327", "lang": "en", "description": "CWE-327: Use of a Broken or Risky Cryptographic Algorithm", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-8cf7-32gw-wr33", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-8cf7-32gw-wr33"}, {"name": "https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3", "tags": ["x_refsource_MISC"], "url": "https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3"}, {"url": "https://security.netapp.com/advisory/ntap-20240621-0007/"}], "affected": [{"vendor": "auth0", "product": "node-jsonwebtoken", "versions": [{"version": "<= 8.5.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-06-21T19:08:19.474Z"}, "descriptions": [{"lang": "en", "value": "Versions `<=8.5.1` of `jsonwebtoken` library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm. You are affected if you are using an algorithm and a key type other than a combination listed in the GitHub Security Advisory as unaffected. This issue has been fixed, please update to version 9.0.0. This version validates for asymmetric key type and algorithm combinations. Please refer to the above mentioned algorithm / key type combinations for the valid secure configuration. After updating to version 9.0.0, if you still intend to continue with signing or verifying tokens using invalid key type/algorithm value combinations, you\u2019ll need to set the `allowInvalidAsymmetricKeyTypes` option to `true` in the `sign()` and/or `verify()` functions."}], "source": {"advisory": "GHSA-8cf7-32gw-wr33", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T03:43:46.551Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-8cf7-32gw-wr33", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-8cf7-32gw-wr33"}, {"name": "https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3"}, {"url": "https://security.netapp.com/advisory/ntap-20240621-0007/", "tags": ["x_transferred"]}]}]}, "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:auth0:jsonwebtoken:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "7E5DD3C1-F5DD-4BFD-BCA3-561BC167CB35", "versionEndIncluding": "8.5.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Versions `<=8.5.1` of `jsonwebtoken` library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm. You are affected if you are using an algorithm and a key type other than a combination listed in the GitHub Security Advisory as unaffected. This issue has been fixed, please update to version 9.0.0. This version validates for asymmetric key type and algorithm combinations. Please refer to the above mentioned algorithm / key type combinations for the valid secure configuration. After updating to version 9.0.0, if you still intend to continue with signing or verifying tokens using invalid key type/algorithm value combinations, you\u2019ll need to set the `allowInvalidAsymmetricKeyTypes` option to `true` in the `sign()` and/or `verify()` functions."}, {"lang": "es", "value": "Las versiones `&lt;=8.5.1` de la librer\u00eda `jsonwebtoken` podr\u00edan estar mal configuradas para que se utilicen tipos de claves heredadas e inseguras para la verificaci\u00f3n de firmas. Por ejemplo, las claves DSA podr\u00edan usarse con el algoritmo RS256. Usted se ver\u00e1 afectado si utiliza un algoritmo y un tipo de clave que no sea una combinaci\u00f3n que figura en GitHub Security Advisory como no afectada. Este problema se ha solucionado; actualice a la versi\u00f3n 9.0.0. Esta versi\u00f3n valida para combinaciones de algoritmos y tipos de claves asim\u00e9tricas. Consulte las combinaciones de algorithm / key type mencionadas anteriormente para conocer la configuraci\u00f3n segura v\u00e1lida. Despu\u00e9s de actualizar a la versi\u00f3n 9.0.0, si a\u00fan tiene la intenci\u00f3n de continuar firmando o verificando tokens utilizando combinaciones de key type/algorithm no v\u00e1lidas, deber\u00e1 configurar la opci\u00f3n `allowInvalidAmetricKeyTypes` en `true` en `sign()`. y/o funciones `verify()`."}], "id": "CVE-2022-23539", "lastModified": "2024-11-21T06:48:46.303", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 4.2, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-12-23T00:15:12.347", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-8cf7-32gw-wr33"}, {"source": "security-advisories@github.com", "url": "https://security.netapp.com/advisory/ntap-20240621-0007/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-8cf7-32gw-wr33"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.netapp.com/advisory/ntap-20240621-0007/"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-327"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2023:3265", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.12::el8", "package": "odf4/mcg-core-rhel8:v4.12.3-4", "product_name": "RHODF-4.12-RHEL-8", "release_date": "2023-05-23T00:00:00Z"}], "bugzilla": {"description": "jsonwebtoken: Unrestricted key type could lead to legacy keys usagen", "id": "2155978", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155978"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "status": "verified"}, "cwe": "CWE-327", "details": ["Versions `<=8.5.1` of `jsonwebtoken` library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm. You are affected if you are using an algorithm and a key type other than a combination listed in the GitHub Security Advisory as unaffected. This issue has been fixed, please update to version 9.0.0. This version validates for asymmetric key type and algorithm combinations. Please refer to the above mentioned algorithm / key type combinations for the valid secure configuration. After updating to version 9.0.0, if you still intend to continue with signing or verifying tokens using invalid key type/algorithm value combinations, you\u2019ll need to set the `allowInvalidAsymmetricKeyTypes` option to `true` in the `sign()` and/or `verify()` functions.", "A flaw was found in the jsonwebtoken package. The affected versions of the `jsonwebtoken` library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm."], "name": "CVE-2022-23539", "package_state": [{"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "package_name": "openshift4/ose-console", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift_container_storage:4", "fix_state": "Out of support scope", "package_name": "ocs4/mcg-core-rhel8", "product_name": "Red Hat Openshift Container Storage 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Affected", "package_name": "noobaa-core-container", "product_name": "Red Hat Openshift Data Foundation 4"}], "public_date": "2022-12-23T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-23539\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-23539\nhttps://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-8cf7-32gw-wr33"], "statement": "The jsonwebtoken package is a transitive dependency and is not used directly in any of the Red Hat products. Hence, the impact is set to Moderate.", "threat_severity": "Moderate", "upstream_fix": "jsonwebtoken 9.0.0"}