Description

Weak JSON Web Token (JWT) signing secret generation in YMFE YApi through 1.9.2 allows recreation of other users' JWT tokens. This occurs because Math.random in Node.js is used.

Remediation

References

https://github.com/YMFE/yapi/issues/2117

https://securitylab.github.com/advisories/GHSL-2020-228-YMFE-yapi

Related Vulnerabilities

CVE-2017-16207 Vulnerability in npm package discordi.js

CVE-2016-8741 Vulnerability in maven package org.apache.qpid:qpid-broker-core

CVE-2021-21368 Vulnerability in maven package org.webjars.npm:msgpack5

CVE-2019-19771 Vulnerability in npm package hdkye

CVE-2019-8331 Vulnerability in maven package org.webjars.bowergithub.angular-ui:bootstrap

Severity

Medium

Classification

CWE-330 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Tags

Third Party Advisory