Advisories for Gem/Json-Jwt package

The json-jwt (aka JSON::JWT) gem 1.16.x before 1.16.6, 1.15.x before 1.15.3.1 for Ruby sometimes allows bypass of identity checks via a sign/encryption confusion attack. For example, JWE can sometimes be used to bypass JSON::JWT.decode.

The json-jwt gem before for Ruby lacks an element count during the splitting of a JWE string.

json-jwt is vulnerable to improper verification of cryptographic signatures when decrypting AES-GCM encrypted JSON Web Tokens. This can result in an attacker being able to forge an authentication tag.