How severe is CVE-2021-44878?

This vulnerability has a severity rating of HIGH with a CVSS score of 7.5 out of 10.

What type of vulnerability is CVE-2021-44878?

This is classified as CWE-347, which is a common weakness in software security.

CVE-2021-44878

HIGH Year: 2021

CVSS v3 Score

7.5

High

CVSS v2 Score

5.0

Medium

Weakness Type

CWE-347

View all →

Vulnerability Description

If an OpenID Connect provider supports the "none" algorithm (i.e., tokens with no signature), pac4j v5.3.0 (and prior) does not refuse it without an explicit configuration on its side or for the "idtoken" response type which is not secure and violates the OpenID Core Specification. The "none" algorithm does not require any signature verification when validating the ID tokens, which allows the attacker to bypass the token validation by injecting a malformed ID token using "none" as the value of "alg" key in the header with an empty signature value.

CVE-2002-1706

HIGH

CVSS:7.5(High)

Cisco IOS software 11.3 through 12.2 running on Cisco uBR7200 and uBR7100 series Universal Broadband Routers allows remote attackers to modify Data Over Cable Service Interface Specification (DOCSIS) ...

CWE-3472002

CVE-2005-2181

HIGH

CVSS:7.5(High)

Cisco 7940/7960 Voice over IP (VoIP) phones do not properly check the Call-ID, branch, and tag values in a NOTIFY message to verify a subscription, which allows remote attackers to spoof messages such...

CWE-3472005

CVE-2005-2182

HIGH

CVSS:7.5(High)

Grandstream BudgeTone (BT) 100 Voice over IP (VoIP) phones do not properly check the Call-ID, branch, and tag values in a NOTIFY message to verify a subscription, which allows remote attackers to spoo...

CWE-3472005

CVE-2015-7336

HIGH

CVSS:7.5(High)

MITRE is populating this ID because it was assigned prior to Lenovo becoming a CNA. A vulnerability was reported (fixed and publicly disclosed in 2015) in Lenovo System Update version 5.07.0008 and pr...

CWE-3472015

CVE-2016-1000338

HIGH

CVSS:7.5(High)

In Bouncy Castle JCE Provider version 1.55 and earlier the DSA does not fully validate ASN.1 encoding of signature on verification. It is possible to inject extra elements in the sequence making up th...

CWE-3472016

CVE-2016-1000342

HIGH

CVSS:7.5(High)

In the Bouncy Castle JCE Provider version 1.55 and earlier ECDSA does not fully validate ASN.1 encoding of signature on verification. It is possible to inject extra elements in the sequence making up ...

CWE-3472016

CVE-2021-44878

Vulnerability Description

Related Vulnerabilities

CVE-2002-1706

CVE-2005-2181

CVE-2005-2182

CVE-2015-7336

CVE-2016-1000338

CVE-2016-1000342