Description
light-oauth2 before version 2.1.27 obtains the public key without any verification. This could allow attackers to authenticate to the application with a crafted JWT token.
Remediation
References
https://github.com/networknt/light-oauth2/issues/369
https://github.com/KANIXB/JWTIssues/blob/main/Certification%20Verification%20issue%20in%20light-oauth2.md
Related Vulnerabilities
CVE-2022-36033 Vulnerability in maven package org.jsoup:jsoup
CVE-2020-17519 Vulnerability in maven package org.apache.flink:flink-runtime_2.12
CVE-2023-34615 Vulnerability in maven package net.pwall.json:jsonutil
CVE-2022-29631 Vulnerability in maven package org.jodd:jodd-http
CVE-2022-44262 Vulnerability in maven package org.ff4j:ff4j-core