Description
Weak JSON Web Token (JWT) signing secret generation in YMFE YApi through 1.9.2 allows recreation of other users' JWT tokens. This occurs because Math.random in Node.js is used.
Remediation
References
https://github.com/YMFE/yapi/issues/2117
https://securitylab.github.com/advisories/GHSL-2020-228-YMFE-yapi
Related Vulnerabilities
CVE-2023-36479 Vulnerability in maven package org.eclipse.jetty.ee10:jetty-ee10-servlets
CVE-2012-5887 Vulnerability in maven package org.apache.tomcat:tomcat-catalina
CVE-2022-44729 Vulnerability in maven package org.apache.xmlgraphics:batik-svgrasterizer
CVE-2021-21294 Vulnerability in maven package org.http4s:http4s-blaze-server_2.13
CVE-2016-7103 Vulnerability in maven package org.webjars:jquery-ui