Authorization Bypass

Affecting express-jwt package, versions <6.0.0

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

express-jwt is a JWT authentication middleware.

Affected versions of this package are vulnerable to Authorization Bypass. The algorithms entry to be specified in the configuration is not being enforced. When algorithms is not specified in the configuration, with the combination of jwks-rsa, it may lead to authorization bypass.

Remediation

Upgrade express-jwt to version 6.0.0 or higher.

References

CVSS Score

7.4
high severity
  • Attack Vector
    Network
  • Attack Complexity
    High
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    High
  • Availability
    None
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Credit
IST Group
CVE
CVE-2020-15084
CWE
CWE-285
Snyk ID
SNYK-JS-EXPRESSJWT-575022
Disclosed
01 Jul, 2020
Published
01 Jul, 2020