Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2018-0114Improper Verification of Cryptographic Signature in Cisco Node-jose

CWE-347Improper Verification of Cryptographic Signature6 documents6 sources
Severity
7.5HIGHNVD
EPSS
84.7%
top 0.66%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
1
Cisco Node-jose
Timeline
PublishedJan 4
Latest updateMay 13

Description

A vulnerability in the Cisco node-jose open source library before 0.11.0 could allow an unauthenticated, remote attacker to re-sign tokens using a key that is embedded within the token. The vulnerability is due to node-jose following the JSON Web Signature (JWS) standard for JSON Web Tokens (JWTs). This standard specifies that a JSON Web Key (JWK) representing a public key can be embedded within the header of a JWS. This public key is then trusted for verification. An attacker could exploit this

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

NVDcisco/node-jose< 0.11.0
npmcisco/node-jose< 0.11.0

Patches

Patch: tools.cisco.comPatch: tools.cisco.com

🔴Vulnerability Details

3
GHSA
Cisco node-jose improper validation of JWT signature2022-05-13
OSV
Cisco node-jose improper validation of JWT signature2022-05-13
CVEList
CVE-2018-0114: A vulnerability in the Cisco node-jose open source library before 02018-01-04

💥Exploits & PoCs

1
Exploit-DB
Cisco node-jos < 0.11.0 - Re-sign Tokens2018-03-20

📐Framework References

1
OWASP
Testing JSON Web Tokens
CVE-2018-0114 — Cisco Node-jose vulnerability | cvebase