The package jsrsasign before 10.5.25 are vulnerable to Improper Verification of Cryptographic Signature when JWS or JWT signature with non Base64URL encoding special characters or number escaped characters may be validated as valid by mistake. Workaround: Validate JWS or JWT signature if it has Base64URL and dot safe string before executing JWS.verify() or JWS.verifyJWT() method.
References
Configurations
History
No history.
Information
Published : 2022-07-01 20:15
Updated : 2024-11-21 06:53
NVD link : CVE-2022-25898
Mitre link : CVE-2022-25898
CVE.ORG link : CVE-2022-25898
JSON object : View
Products Affected
jsrsasign_project
- jsrsasign
CWE
CWE-347
Improper Verification of Cryptographic Signature