In Firebase PHP-JWT before 6.0.0, an algorithm-confusion issue (e.g., RS256 / HS256) exists via the kid (aka Key ID) header, when multiple types of keys are loaded in a key ring. This allows an attacker to forge tokens that validate under the incorrect key. NOTE: this provides a straightforward way to use the PHP-JWT library unsafely, but might not be considered a vulnerability in the library itself.
References
Link | Resource |
---|---|
https://github.com/firebase/php-jwt/issues/351 | Exploit Third Party Advisory |
Configurations
History
08 Apr 2022, 15:14
Type | Values Removed | Values Added |
---|---|---|
References | (MISC) https://github.com/firebase/php-jwt/issues/351 - Exploit, Third Party Advisory | |
CWE | CWE-843 | |
First Time |
Google
Google firebase Php-jwt |
|
CVSS |
v2 : v3 : |
v2 : 5.8
v3 : 9.1 |
CPE | cpe:2.3:a:google:firebase_php-jwt:*:*:*:*:*:*:*:* |
29 Mar 2022, 07:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2022-03-29 07:15
Updated : 2023-12-10 14:22
NVD link : CVE-2021-46743
Mitre link : CVE-2021-46743
CVE.ORG link : CVE-2021-46743
JSON object : View
Products Affected
- firebase_php-jwt
CWE
CWE-843
Access of Resource Using Incompatible Type ('Type Confusion')