reason-jose is a JOSE implementation in ReasonML and OCaml.`Jose.Jws.validate` does not check HS256 signatures. This allows tampering of JWS header and payload data if the service does not perform additional checks. Such tampering could expose applications using reason-jose to authorization bypass. Applications relying on JWS claims assertion to enforce security boundaries may be vulnerable to privilege escalation. This issue has been patched in version 0.8.2.
References
Link | Resource |
---|---|
https://github.com/ulrikstrid/reason-jose/commit/36cd724db3cbec121757624da49072386bd869e5 | Patch Third Party Advisory |
https://github.com/ulrikstrid/reason-jose/releases/tag/v0.8.2 | Release Notes Third Party Advisory |
https://github.com/ulrikstrid/reason-jose/security/advisories/GHSA-7jj9-6qwv-wpm7 | Third Party Advisory |
Configurations
History
08 Feb 2023, 01:27
Type | Values Removed | Values Added |
---|---|---|
References | (MISC) https://github.com/ulrikstrid/reason-jose/commit/36cd724db3cbec121757624da49072386bd869e5 - Patch, Third Party Advisory | |
References | (MISC) https://github.com/ulrikstrid/reason-jose/releases/tag/v0.8.2 - Release Notes, Third Party Advisory | |
References | (MISC) https://github.com/ulrikstrid/reason-jose/security/advisories/GHSA-7jj9-6qwv-wpm7 - Third Party Advisory | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 9.8 |
First Time |
Reason-jose Project reason-jose
Reason-jose Project |
|
CPE | cpe:2.3:a:reason-jose_project:reason-jose:*:*:*:*:*:*:*:* |
01 Feb 2023, 01:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-02-01 01:15
Updated : 2023-12-10 14:48
NVD link : CVE-2023-23928
Mitre link : CVE-2023-23928
CVE.ORG link : CVE-2023-23928
JSON object : View
Products Affected
reason-jose_project
- reason-jose
CWE
CWE-347
Improper Verification of Cryptographic Signature