Description

Weak JSON Web Token (JWT) signing secret generation in YMFE YApi through 1.9.2 allows recreation of other users' JWT tokens. This occurs because Math.random in Node.js is used.

Remediation

References

https://github.com/YMFE/yapi/issues/2117

https://securitylab.github.com/advisories/GHSL-2020-228-YMFE-yapi

Related Vulnerabilities

CVE-2019-1010091 Vulnerability in maven package org.webjars.bower:tinymce

CVE-2018-21270 Vulnerability in npm package stringstream

CVE-2020-11979 Vulnerability in maven package org.apache.ant:ant

CVE-2020-25649 Vulnerability in maven package com.fasterxml.jackson.core:jackson-databind

CVE-2022-24847 Vulnerability in maven package org.geoserver.community:gs-jdbcconfig

Severity

Medium

Classification

CWE-330 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Tags

Third Party Advisory