CVE-2024-33531

high

Description

cdbattags lua-resty-jwt 0.2.3 allows attackers to bypass all JWT-parsing signature checks by crafting a JWT with an enc header with the value A256GCM.

References

https://insinuator.net/2023/10/lua-resty-jwt-authentication-bypass/

https://github.com/cdbattags/lua-resty-jwt/issues/61

https://github.com/cdbattags/lua-resty-jwt/commit/d1558e2afefe868fea1e7e9a4b04ea94ab678a85

Details

Source: Mitre, NVD

Published: 2024-04-24

Updated: 2024-07-03

Risk Information

CVSS v2

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N

Severity: Medium

CVSS v3

Base Score: 8.1

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Severity: High

EPSS

EPSS: 0.00173

Detections

Analytics