Description

Weak JSON Web Token (JWT) signing secret generation in YMFE YApi through 1.9.2 allows recreation of other users' JWT tokens. This occurs because Math.random in Node.js is used.

Remediation

References

https://github.com/YMFE/yapi/issues/2117

https://securitylab.github.com/advisories/GHSL-2020-228-YMFE-yapi

Related Vulnerabilities

CVE-2022-28220 Vulnerability in maven package org.apache.james.protocols:protocols-api

CVE-2021-23337 Vulnerability in npm package lodash.template

CVE-2021-21118 Vulnerability in npm package electron

CVE-2019-16775 Vulnerability in npm package bin-links

CVE-2023-46589 Vulnerability in maven package org.apache.tomcat:tomcat-catalina

Severity

Medium

Classification

CWE-330 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Tags

Third Party Advisory