You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In express-jwt (NPM package) up and including version 5.3.3, the algorithms entry to be specified in the configuration is not being enforced. When algorithms is not specified in the configuration, with the combination of jwks-rsa, it may lead to authorization bypass. You are affected by this vulnerability if all of the following conditions apply: - You are using express-jwt - You do not have algorithms configured in your express-jwt configuration. - You are using libraries such as jwks-rsa as the secret. You can fix this by specifying algorithms in the express-jwt configuration. See linked GHSA for example. This is also fixed in version 6.0.0.
Vulnerable Library - express-jwt-5.3.1.tgz
JWT authentication middleware.
Library home page: https://registry.npmjs.org/express-jwt/-/express-jwt-5.3.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/express-jwt/package.json
Found in HEAD commit: df030affe6fe3de4496f2f71d0bed6559686b108
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2020-15084
Vulnerable Library - express-jwt-5.3.1.tgz
JWT authentication middleware.
Library home page: https://registry.npmjs.org/express-jwt/-/express-jwt-5.3.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/express-jwt/package.json
Dependency Hierarchy:
Found in HEAD commit: df030affe6fe3de4496f2f71d0bed6559686b108
Found in base branch: master
Vulnerability Details
In express-jwt (NPM package) up and including version 5.3.3, the algorithms entry to be specified in the configuration is not being enforced. When algorithms is not specified in the configuration, with the combination of jwks-rsa, it may lead to authorization bypass. You are affected by this vulnerability if all of the following conditions apply: - You are using express-jwt - You do not have algorithms configured in your express-jwt configuration. - You are using libraries such as jwks-rsa as the secret. You can fix this by specifying algorithms in the express-jwt configuration. See linked GHSA for example. This is also fixed in version 6.0.0.
Publish Date: 2020-06-30
URL: CVE-2020-15084
CVSS 3 Score Details (7.7)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-6g6m-m6h5-w9gf
Release Date: 2020-06-30
Fix Resolution: 6.0.0
In order to enable automatic remediation, please create workflow rules
In order to enable automatic remediation for this issue, please create workflow rules
The text was updated successfully, but these errors were encountered: