Use of a Broken or Risky Cryptographic Algorithm

CVE-2015-9235

High

9.8/10

Summary

In the jsonwebtoken package priors to version 4.2.2, an attacker can bypass verification when a token is digitally signed with an asymmetric key (RS/ES family) algorithm, but instead sends a token digitally signed with a symmetric algorithm (HS* family).

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: HIGH
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: HIGH
Availability Impact: HIGH

CWE-327 - Use of a Broken or Risky Cryptographic Algorithm

The use of a broken or risky cryptographic algorithm is an unnecessary risk that may result in the exposure of sensitive information.

References

Advisory
Initial PR
Additional PR
Release Note

Advisory Timeline

Published May 29, 2018

Use of a Broken or Risky Cryptographic Algorithm

CVE-2015-9235

Summary

CWE-327 - Use of a Broken or Risky Cryptographic Algorithm

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS