GHSA-xm5f-hc9r-76f3

Suggest an improvement
Source
https://github.com/advisories/GHSA-xm5f-hc9r-76f3
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-xm5f-hc9r-76f3/GHSA-xm5f-hc9r-76f3.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-xm5f-hc9r-76f3
Aliases
Published
2022-05-24T16:52:44Z
Modified
2023-11-01T04:47:02.866874Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
Summary
PHP JOSE Library by Gree Inc. Uses a Broken or Risky Cryptographic Algorithm
Details

The PHP JOSE Library by Gree Inc. prior to 2.2.1 is vulnerable to key confusion/algorithm substitution in the JWS component resulting in bypassing the signature verification via crafted tokens.

Database specific 
{
    "github_reviewed": true,
    "nvd_published_at": "2019-08-07T15:15:00Z",
    "severity": "HIGH",
    "cwe_ids": [
        "CWE-327"
    ],
    "github_reviewed_at": "2023-03-03T23:14:26Z"
}
References

Affected packages

Packagist / gree/jose

Package

Name
gree/jose
Purl
pkg:composer/gree/jose

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.2.1

Affected versions

0.*

0.1.0
0.1.1
0.1.3
0.1.4
0.1.5

1.*

1.0.0
1.0.1

2.*

2.0.0
2.0.1
2.1.0
2.2.0