Description

Weak JSON Web Token (JWT) signing secret generation in YMFE YApi through 1.9.2 allows recreation of other users' JWT tokens. This occurs because Math.random in Node.js is used.

Remediation

References

https://github.com/YMFE/yapi/issues/2117

https://securitylab.github.com/advisories/GHSL-2020-228-YMFE-yapi

Related Vulnerabilities

CVE-2014-7810 Vulnerability in maven package org.apache.tomcat.embed:tomcat-embed-core

CVE-2022-41936 Vulnerability in maven package org.xwiki.platform:xwiki-platform-rest-server

CVE-2017-16208 Vulnerability in npm package dmmcquay.lab6

CVE-2021-25930 Vulnerability in maven package org.opennms:opennms-webapp

CVE-2023-47324 Vulnerability in maven package org.silverpeas.core:silverpeas-core-api

Severity

Medium

Classification

CWE-330 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Tags

Third Party Advisory