CVE-2016-5431: Key confusion attack

August 7, 2019 (updated October 9, 2019)

The PHP JOSE Library is vulnerable to key confusion/algorithm substitution in the JWS component resulting in bypassing the signature verification via crafted tokens.

References

github.com/nov/jose-php/commit/1cce55e27adf0274193eb1cd74b927a398a3df4b
nvd.nist.gov/vuln/detail/CVE-2016-5431

Detect and mitigate CVE-2016-5431 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →