vuln(NSWG-ECO-87): specify vulnerable versions for jwt-simple (#221)

nodejs · Apr 11, 2018 · fc9e29e · fc9e29e
1 parent e745454
commit fc9e29e
Showing 1 changed file with 3 additions and 3 deletions.
diff --git a/vuln/npm/87.json b/vuln/npm/87.json
@@ -7,13 +7,13 @@
   "module_name": "jwt-simple",
   "publish_date": "2016-10-31T20:32:51+00:00",
   "cves": [],
-  "vulnerable_versions": null,
-  "patched_versions": null,
+  "vulnerable_versions": "< 0.3.0",
+  "patched_versions": ">= 0.3.0",
   "slug": "jwt-simple_forgeable-publicprivate-tokens",
   "overview": "Since \"algorithm\" isn't enforced in jwt.decode(), a malicious user could choose what algorithm is sent sent to the server. If the server is expecting RSA but is sent HMAC-SHA with RSA's public key, the server will think the public key is actually an HMAC private key. This could be used to forge any data an attacker wants.",
   "recommendation": "Change jwt.decode() to include an algorithm parameter.",
   "references": "- https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/\n- https://github.com/hokaccha/node-jwt-simple/pull/14\n- https://github.com/hokaccha/node-jwt-simple/pull/16",
   "cvss_vector": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
   "cvss_score": 4.2,
   "coordinating_vendor": "^Lift Security"
-}
+}