CVE-2022-23529

Description from NVD

node-jsonwebtoken is a JsonWebToken implementation for node.js. For versions `<= 8.5.1` of `jsonwebtoken` library, if a malicious actor has the ability to modify the key retrieval parameter (referring to the `secretOrPublicKey` argument from the readme link of the `jwt.verify()` function, they can write arbitrary files on the host machine. Users are affected only if untrusted entities are allowed to modify the key retrieval parameter of the `jwt.verify()` on a host that you control. This issue has been fixed, please update to version 9.0.0.

Information Acquisition Date:2023-01-13T21:12Z
CVSS 2.0: 0.0 None CVSS 3.x: 9.8 CRITICAL

▼ CVSS3 Vec CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

NVD References

 https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-27h2-hvpr-p74q
     source:MISC
     tags:Third Party Advisory    
 https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3
     source:MISC
     tags:Patch    Third Party Advisory    

Refer to Information on External Sites

CVE InfomationExploits or more Infomation
mitreEXPLOIT DATABASE
NVD0day.today
vulmon.comgithub
CVE DetailsTwitter
JVN ENG JPN
Reconshell

Software Tag: Java(9 tweets) Linux(1 tweets) PHP(1 tweets) iOS(3 tweets)



List of frequently cited URLs

URLNum of Times Referred to
https://unit42.paloaltonetworks.com/jsonwebtoken-vulnerabil...79
https://cvetrends.com51
https://unit42.paloaltonetworks.jp/jsonwebtoken-vulnerabili...41
http://canyoupwn.me12
https://thehackernews.com/2023/01/critical-security-flaw-fo...11
https://github.com/github/advisory-database/pull/15957
https://opsmtrs.com/3u44jMT3
https://twitter.com/cyph3r_asr/status/16126844659770613763
https://b.hatena.ne.jp/entry/s/unit42.paloaltonetworks.jp/j...3
https://security.sios.jp/vulnerability/node-jsonwebtoken-se...3
https://securityboulevard.com/2023/01/cve-2022-23529-should...3
https://xcloud.spectrum.colortokens.com/cve/CVE-2022-235293

▼ Show Information from Twitter(334)


List of frequently cited URLs

URLNum of Times Referred to
unit42.paloaltonetworks.com79
cvetrends.com51
unit42.paloaltonetworks.jp41
canyoupwn.me12
thehackernews.com11
github.com7
opsmtrs.com3
twitter.com3
b.hatena.ne.jp3
security.sios.jp3
securityboulevard.com3
xcloud.spectrum.colortokens.com3

▼ Show Information from Twitter(334)


GitHub Search Results: Up to 10
NameURL
despossivel/CVE-2022-23529-lab https://github.com/despossivel/CVE-2022-23529-lab
Live-Hack-CVE/CVE-2022-23529 https://github.com/Live-Hack-CVE/CVE-2022-23529

GitHub Search Results: Up to 10
NameURL
despossivel/CVE-2022-23529-lab github.com
Live-Hack-CVE/CVE-2022-23529 github.com

2023/02/06 Score : 0
Added Har-sia Database : 2022/12/22
Last Modified : 2023/02/06
Highest Scored Date : 2023/01/11
Highest Score : 148