CVE-2022-25898: Improper Verification of Cryptographic Signature
(updated )
The package jsrsasign before 10.5.25 is vulnerable to Improper Verification of Cryptographic Signature when JWS or JWT signature with non Base64URL encoding special characters or number escaped characters may be validated as valid by mistake. Workaround: Validate JWS or JWT signature if it has Base64URL and dot safe string before executing JWS.verify() or JWS.verifyJWT() method.
References
- cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25898
- github.com/advisories/GHSA-3fvg-4v2m-98jf
- github.com/kjur/jsrsasign/commit/4536a6e9e8bcf1a644ab7c07ed96e453347dae41
- github.com/kjur/jsrsasign/releases/tag/10.5.25
- github.com/kjur/jsrsasign/security/advisories/GHSA-3fvg-4v2m-98jf
- nvd.nist.gov/vuln/detail/CVE-2022-25898
- snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-2935898
- snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBKJUR-2935897
- snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2935896
- snyk.io/vuln/SNYK-JS-JSRSASIGN-2869122
Detect and mitigate CVE-2022-25898 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →