Vulnerability Details CVE-2022-23540
In versions `<=8.5.1` of `jsonwebtoken` library, lack of algorithm definition in the `jwt.verify()` function can lead to signature validation bypass due to defaulting to the `none` algorithm for signature verification. Users are affected if you do not specify algorithms in the `jwt.verify()` function. This issue has been fixed, please update to version 9.0.0 which removes the default support for the none algorithm in the `jwt.verify()` method. There will be no impact, if you update to version 9.0.0 and you don’t need to allow for the `none` algorithm. If you need 'none' algorithm, you have to explicitly specify that in `jwt.verify()` options.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 4.1%
CVSS Severity
CVSS v3 Score 6.4
References
- https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3
- https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-qwph-4952-7xr6
- https://security.netapp.com/advisory/ntap-20240621-0007/
- https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3
- https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-qwph-4952-7xr6
- https://security.netapp.com/advisory/ntap-20240621-0007/
Products affected by CVE-2022-23540
-
cpe:2.3:a:auth0:jsonwebtoken:0.1.0
-
cpe:2.3:a:auth0:jsonwebtoken:0.2.0
-
cpe:2.3:a:auth0:jsonwebtoken:0.3.0
-
cpe:2.3:a:auth0:jsonwebtoken:0.4.0
-
cpe:2.3:a:auth0:jsonwebtoken:0.4.1
-
cpe:2.3:a:auth0:jsonwebtoken:1.0.0
-
cpe:2.3:a:auth0:jsonwebtoken:1.0.2
-
cpe:2.3:a:auth0:jsonwebtoken:1.1.0
-
cpe:2.3:a:auth0:jsonwebtoken:1.1.1
-
cpe:2.3:a:auth0:jsonwebtoken:1.1.2
-
cpe:2.3:a:auth0:jsonwebtoken:1.2.0
-
cpe:2.3:a:auth0:jsonwebtoken:1.3.0
-
cpe:2.3:a:auth0:jsonwebtoken:2.0.0
-
cpe:2.3:a:auth0:jsonwebtoken:3.0.0
-
cpe:2.3:a:auth0:jsonwebtoken:3.1.0
-
cpe:2.3:a:auth0:jsonwebtoken:3.1.1
-
cpe:2.3:a:auth0:jsonwebtoken:3.2.0
-
cpe:2.3:a:auth0:jsonwebtoken:3.2.1
-
cpe:2.3:a:auth0:jsonwebtoken:3.2.2
-
cpe:2.3:a:auth0:jsonwebtoken:4.0.0
-
cpe:2.3:a:auth0:jsonwebtoken:4.1.0
-
cpe:2.3:a:auth0:jsonwebtoken:4.2.0
-
cpe:2.3:a:auth0:jsonwebtoken:4.2.1
-
cpe:2.3:a:auth0:jsonwebtoken:4.2.2
-
cpe:2.3:a:auth0:jsonwebtoken:5.0.0
-
cpe:2.3:a:auth0:jsonwebtoken:5.0.1
-
cpe:2.3:a:auth0:jsonwebtoken:5.0.2
-
cpe:2.3:a:auth0:jsonwebtoken:5.0.3
-
cpe:2.3:a:auth0:jsonwebtoken:5.0.4
-
cpe:2.3:a:auth0:jsonwebtoken:5.0.5
-
cpe:2.3:a:auth0:jsonwebtoken:5.1.0
-
cpe:2.3:a:auth0:jsonwebtoken:5.2.0
-
cpe:2.3:a:auth0:jsonwebtoken:5.3.1
-
cpe:2.3:a:auth0:jsonwebtoken:5.4.0
-
cpe:2.3:a:auth0:jsonwebtoken:5.4.1
-
cpe:2.3:a:auth0:jsonwebtoken:5.5.0
-
cpe:2.3:a:auth0:jsonwebtoken:5.5.1
-
cpe:2.3:a:auth0:jsonwebtoken:5.5.2
-
cpe:2.3:a:auth0:jsonwebtoken:5.5.3
-
cpe:2.3:a:auth0:jsonwebtoken:5.5.4
-
cpe:2.3:a:auth0:jsonwebtoken:5.6.0
-
cpe:2.3:a:auth0:jsonwebtoken:5.6.2
-
cpe:2.3:a:auth0:jsonwebtoken:5.7.0
-
cpe:2.3:a:auth0:jsonwebtoken:6.0.0
-
cpe:2.3:a:auth0:jsonwebtoken:6.0.1
-
cpe:2.3:a:auth0:jsonwebtoken:6.1.0
-
cpe:2.3:a:auth0:jsonwebtoken:6.1.1
-
cpe:2.3:a:auth0:jsonwebtoken:6.1.2
-
cpe:2.3:a:auth0:jsonwebtoken:6.2.0
-
cpe:2.3:a:auth0:jsonwebtoken:7.0.0
-
cpe:2.3:a:auth0:jsonwebtoken:7.0.1
-
cpe:2.3:a:auth0:jsonwebtoken:7.1.0
-
cpe:2.3:a:auth0:jsonwebtoken:7.1.1
-
cpe:2.3:a:auth0:jsonwebtoken:7.1.10
-
cpe:2.3:a:auth0:jsonwebtoken:7.1.3
-
cpe:2.3:a:auth0:jsonwebtoken:7.1.5
-
cpe:2.3:a:auth0:jsonwebtoken:7.1.6
-
cpe:2.3:a:auth0:jsonwebtoken:7.1.7
-
cpe:2.3:a:auth0:jsonwebtoken:7.1.8
-
cpe:2.3:a:auth0:jsonwebtoken:7.1.9
-
cpe:2.3:a:auth0:jsonwebtoken:7.2.0
-
cpe:2.3:a:auth0:jsonwebtoken:7.2.1
-
cpe:2.3:a:auth0:jsonwebtoken:7.3.0
-
cpe:2.3:a:auth0:jsonwebtoken:7.4.0
-
cpe:2.3:a:auth0:jsonwebtoken:7.4.1
-
cpe:2.3:a:auth0:jsonwebtoken:7.4.2
-
cpe:2.3:a:auth0:jsonwebtoken:7.4.3
-
cpe:2.3:a:auth0:jsonwebtoken:8.0.0
-
cpe:2.3:a:auth0:jsonwebtoken:8.0.1
-
cpe:2.3:a:auth0:jsonwebtoken:8.1.0
-
cpe:2.3:a:auth0:jsonwebtoken:8.1.1
-
cpe:2.3:a:auth0:jsonwebtoken:8.2.0
-
cpe:2.3:a:auth0:jsonwebtoken:8.2.1
-
cpe:2.3:a:auth0:jsonwebtoken:8.2.2
-
cpe:2.3:a:auth0:jsonwebtoken:8.3.0
-
cpe:2.3:a:auth0:jsonwebtoken:8.4.0
-
cpe:2.3:a:auth0:jsonwebtoken:8.5.0
-
cpe:2.3:a:auth0:jsonwebtoken:8.5.1