CVE-2022-25898
Summary
| CVE | CVE-2022-25898 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2022-07-01 20:15:00 UTC |
| Updated | 2022-07-13 19:01:00 UTC |
| Description | The package jsrsasign before 10.5.25 are vulnerable to Improper Verification of Cryptographic Signature when JWS or JWT signature with non Base64URL encoding special characters or number escaped characters may be validated as valid by mistake. Workaround: Validate JWS or JWT signature if it has Base64URL and dot safe string before executing JWS.verify() or JWS.verifyJWT() method. |
Risk And Classification
Problem Types: CWE-347
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Jsrsasign Project | Jsrsasign | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Improper Verification of Cryptographic Signature in org.webjars.npm:jsrsasign | CVE-2022-25898 | Snyk | CONFIRM | snyk.io | |
| Improper Verification of Cryptographic Signature in org.webjars.bowergithub.kjur:jsrsasign | CVE-2022-25898 | Snyk | CONFIRM | snyk.io | |
| Release CVE-2022-25898 Security fix in JWS and JWT validation · kjur/jsrsasign · GitHub | CONFIRM | github.com | |
| Improper Verification of Cryptographic Signature in org.webjars.bower:jsrsasign | CVE-2022-25898 | Snyk | CONFIRM | snyk.io | |
| CVE-2022-25898 Security fix in JWS and JWT validation · kjur/jsrsasign@4536a6e · GitHub | CONFIRM | github.com | |
| Improper Verification of Cryptographic Signature in jsrsasign | CVE-2022-25898 | Snyk | CONFIRM | snyk.io | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
LEGACY: Adi Malyanker
LEGACY: Or David
There are currently no legacy QID mappings associated with this CVE.