rack-oauth2 Dependency json-jwt allows bypass of identity checks via a sign/encryption confusion attack (CVE-2023-51774)

Dependency json-jwt allows bypass of identity checks via a sign/encryption confusion attack (CVE-2023-51774)

Open araccaine opened this issue 1 year ago • 0 comments

Issue

The gem rack-oauth2 has json-jwt >= 1.11.0 as dependency which is vulnerable to CVE-2023-51774 (see https://github.com/advisories/GHSA-c8v6-786g-vjx6).

Patched versions are 1.16.6 and 1.15.3.1.

Temporary fix

Add gem 'json-jwt', '>= 1.16.6' to your gemfile to ensure the patched gem version.

Mar 08 '24 16:03 araccaine

rack-oauth2 rack-oauth2 copied to clipboard

Dependency json-jwt allows bypass of identity checks via a sign/encryption confusion attack (CVE-2023-51774)

Issue

Temporary fix

rack-oauth2
rack-oauth2 copied to clipboard