Description

Weak JSON Web Token (JWT) signing secret generation in YMFE YApi through 1.9.2 allows recreation of other users' JWT tokens. This occurs because Math.random in Node.js is used.

Remediation

References

https://github.com/YMFE/yapi/issues/2117

https://securitylab.github.com/advisories/GHSL-2020-228-YMFE-yapi

Related Vulnerabilities

CVE-2016-10644 Vulnerability in npm package slimerjs-edge

CVE-2023-26158 Vulnerability in maven package org.webjars.npm:mockjs

CVE-2018-3258 Vulnerability in maven package mysql:mysql-connector-java

CVE-2021-32684 Vulnerability in npm package magento-scripts

CVE-2018-1000129 Vulnerability in maven package org.jolokia:jolokia-core

Severity

Medium

Classification

CWE-330 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Tags

Third Party Advisory