CVE-2023-31580

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2023-31580

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-31580.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2023-31580

Aliases

GHSA-mx47-h5fv-ghwh

Published

2023-10-25T18:17:27.680Z

Modified

2025-11-15T06:31:01.510514Z

Severity

5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

light-oauth2 before version 2.1.27 obtains the public key without any verification. This could allow attackers to authenticate to the application with a crafted JWT token.

References

Affected packages

Git / github.com/networknt/light-oauth2

Affected ranges

Type: GIT
Repo: https://github.com/networknt/light-oauth2
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

ebcdc2967ff2ec67c0e77b1d189f5a4c0032d8b3

Affected versions

0.*

0.1.2

1.*

1.0.0

1.2.4

1.3.1

1.3.4

1.4.0

1.4.1

1.4.2

1.4.3

1.5.10

1.5.11

1.5.12

1.5.13

1.5.14

1.5.15

1.5.16

1.5.17

1.5.18

1.5.19

1.5.20

1.5.21

1.5.22

1.5.23

1.5.24

1.5.25

1.5.27

1.5.28

1.5.29

1.5.30

1.5.31

1.5.32

1.5.34

1.5.6

1.5.7

1.5.8

1.5.9

1.6.0

1.6.1

1.6.2

1.6.4

2.*

2.0.10

2.0.11

2.0.12

2.0.13

2.0.14

2.0.15

2.0.16

2.0.17

2.0.18

2.0.19

2.0.2

2.0.20

2.0.21

2.0.22

2.0.23

2.0.24

2.0.25

2.0.26

2.0.27

2.0.28

2.0.29

2.0.3

2.0.30

2.0.31

2.0.32

2.0.4

2.0.5

2.0.6

2.0.7

2.0.8

2.0.9

2.1.0

2.1.1

2.1.10

2.1.11

2.1.12

2.1.15

2.1.16

2.1.17

2.1.18

2.1.19

2.1.2

2.1.20

2.1.22

2.1.23

2.1.24

2.1.25

2.1.26

2.1.3

2.1.4

2.1.5

2.1.6

2.1.7

2.1.8

2.1.9

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-31580.json"