Description

Weak JSON Web Token (JWT) signing secret generation in YMFE YApi through 1.9.2 allows recreation of other users' JWT tokens. This occurs because Math.random in Node.js is used.

Remediation

References

https://github.com/YMFE/yapi/issues/2117

https://securitylab.github.com/advisories/GHSL-2020-228-YMFE-yapi

Related Vulnerabilities

CVE-2021-37304 Vulnerability in maven package org.jeecgframework.boot:jeecg-boot-base

CVE-2017-16083 Vulnerability in npm package node-simple-router

CVE-2017-5650 Vulnerability in maven package org.apache.tomcat:tomcat-coyote

CVE-2022-39366 Vulnerability in maven package io.acryl:datahub-client

CVE-2017-16132 Vulnerability in npm package simple-npm-registry

Severity

Medium

Classification

CWE-330 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Tags

Third Party Advisory