How severe is CVE-2022-23539?

This vulnerability has a severity rating of HIGH with a CVSS score of 8.1 out of 10.

What type of vulnerability is CVE-2022-23539?

This is classified as CWE-327, which is a common weakness in software security.

CVE-2022-23539 - HIGH Severity | CVSS 8.1

Q: What is CVE-2022-23539?

Versions `<=8.5.1` of `jsonwebtoken` library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm. You are affected if you are using an algorithm and a key type other than a combination listed in the GitHub Security Advisory as unaffected. This issue has been fixed, please update to version 9.0.0. This version validates for asymmetric key type and algorithm combinations. Please refer to the above mentioned algorithm / key type combinations for the valid secure configuration. After updating to version 9.0.0, if you still intend to continue with signing or verifying tokens using invalid key type/algorithm value combinations, you’ll need to set the `allowInvalidAsymmetricKeyTypes` option to `true` in the `sign()` and/or `verify()` functions.

Vulnerability Description

Versions `<=8.5.1` of `jsonwebtoken` library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm. You are affected if you are using an algorithm and a key type other than a combination listed in the GitHub Security Advisory as unaffected. This issue has been fixed, please update to version 9.0.0. This version validates for asymmetric key type and algorithm combinations. Please refer to the above mentioned algorithm / key type combinations for the valid secure configuration. After updating to version 9.0.0, if you still intend to continue with signing or verifying tokens using invalid key type/algorithm value combinations, you’ll need to set the `allowInvalidAsymmetricKeyTypes` option to `true` in the `sign()` and/or `verify()` functions.

Related Vulnerabilities

CVE-2018-7211

HIGH

CVSS:8.1(High)

An issue was discovered in iDashboards 9.6b. The SSO implementation is affected by a weak obfuscation library, allowing man-in-the-middle attackers to discover credentials.

CWE-3272018

CVE-2019-12587

HIGH

CVSS:8.1(High)

The EAP peer implementation in Espressif ESP-IDF 2.0.0 through 4.0.0 and ESP8266_NONOS_SDK 2.2.0 through 3.1.0 allows the installation of a zero Pairwise Master Key (PMK) after the completion of any E...

CWE-3272019

CVE-2019-1828

HIGH

CVSS:8.1(High)

A vulnerability in the web-based management interface of Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers could allow an unauthenticated, remote attacker to access administrative cred...

CWE-3272019

CVE-2019-18832

HIGH

CVSS:8.1(High)

Barco ClickShare Button R9861500D01 devices before 1.9.0 have incorrect Credentials Management. The ClickShare Button implements encryption at rest which uses a one-time programmable (OTP) AES encrypt...

CWE-3272019

CVE-2020-25694

HIGH

CVSS:8.1(High)

A flaw was found in PostgreSQL versions before 13.1, before 12.5, before 11.10, before 10.15, before 9.6.20 and before 9.5.24. If a client application that creates additional database connections only...

CWE-3272020

CVE-2020-5229

HIGH

CVSS:8.1(High)

Opencast before 8.1 stores passwords using the rather outdated and cryptographically insecure MD5 hash algorithm. Furthermore, the hashes are salted using the username instead of a random salt, causin...

CWE-3272020