reason-jose is a JOSE implementation in ReasonML and OCaml.`Jose.Jws.validate` does not check HS256 signatures. This allows tampering of JWS header and payload data if the service does not perform additional checks. Such tampering could expose applications using reason-jose to authorization bypass. Applications relying on JWS claims assertion to enforce security boundaries may be vulnerable to privilege escalation. This issue has been patched in version 0.8.2.
References
Link | Resource |
---|---|
https://github.com/ulrikstrid/reason-jose/commit/36cd724db3cbec121757624da49072386bd869e5 | Patch Third Party Advisory |
https://github.com/ulrikstrid/reason-jose/releases/tag/v0.8.2 | Release Notes Third Party Advisory |
https://github.com/ulrikstrid/reason-jose/security/advisories/GHSA-7jj9-6qwv-wpm7 | Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: GitHub_M
Published: 2023-02-01T00:59:38.475Z
Updated:
Reserved: 2023-01-19T21:12:31.359Z
Link: CVE-2023-23928
JSON object: View
NVD Information
Status : Analyzed
Published: 2023-02-01T01:15:09.023
Modified: 2023-02-08T01:27:45.827
Link: CVE-2023-23928
JSON object: View
Redhat Information
No data.
CWE