Vulnerability CVE-2021-46743: Information

Description

In Firebase PHP-JWT before 6.0.0, an algorithm-confusion issue (e.g., RS256 / HS256) exists via the kid (aka Key ID) header, when multiple types of keys are loaded in a key ring. This allows an attacker to forge tokens that validate under the incorrect key. NOTE: this provides a straightforward way to use the PHP-JWT library unsafely, but might not be considered a vulnerability in the library itself.

Severity: CRITICAL (9.1) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

URL: https://nvd.nist.gov/vuln/detail/CVE-2021-46743
Published: March 29, 2022
Modified: April 8, 2022
Error type identifier: CWE-843

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
itopsisyphus3.0.3-alt13.1.1.1-alt1ALT-PU-2023-1879-1321861Fixed
itopsisyphus_e2k3.0.3-alt13.1.1.1-alt1ALT-PU-2023-3678-1-Fixed
itopp103.1.1.1-alt13.1.1.1-alt1ALT-PU-2024-4537-3343613Fixed
itopp10_e2k3.1.1.1-alt13.1.1.1-alt1ALT-PU-2024-4805-1-Fixed
itopc10f13.1.1.1-alt13.1.1.1-alt1ALT-PU-2024-4961-2343640Fixed
itopc9f23.1.1.1-alt13.1.1.1-alt1ALT-PU-2024-4547-3343621Fixed
itopp113.0.3-alt13.1.1.1-alt1ALT-PU-2023-1879-1321861Fixed

References to Advisories, Solutions, and Tools

Hyperlink
Resource
https://github.com/firebase/php-jwt/issues/351
  • Exploit
  • Third Party Advisory

    1. Configuration 1

      cpe:2.3:a:google:firebase_php-jwt:*:*:*:*:*:*:*:*
      End excliding
      6.0.0
VKontakte|Telegram|YouTube|Forum|GitHub|Bugzilla
Version: v24.5.3
Back to top