Description
Weak JSON Web Token (JWT) signing secret generation in YMFE YApi through 1.9.2 allows recreation of other users' JWT tokens. This occurs because Math.random in Node.js is used.
Remediation
References
https://github.com/YMFE/yapi/issues/2117
https://securitylab.github.com/advisories/GHSL-2020-228-YMFE-yapi
Related Vulnerabilities
CVE-2023-4316 Vulnerability in maven package org.webjars.npm:zod
CVE-2020-24660 Vulnerability in npm package node-lemonldap-ng-handler
CVE-2021-36372 Vulnerability in maven package org.apache.ozone:ozone-common
CVE-2019-19771 Vulnerability in npm package wbe3
CVE-2020-19698 Vulnerability in maven package org.webjars.npm:editor.md