CVE-2020-28042: Improper Verification of Cryptographic Signature
(updated )
ServiceStack mishandles JWT signature verification unless an application has a custom ValidateToken function that establishes a valid minimum length for a signature.
References
- forums.servicestack.net/t/servicestack-v5-9-2-released/8850
- github.com/ServiceStack/ServiceStack/commit/540d4060e877a03ae95343c1a8560a26768585ee
- nvd.nist.gov/vuln/detail/CVE-2020-28042
- www.shielder.it/advisories/servicestack-jwt-signature-verification-bypass/
- www.shielder.it/blog/2020/11/re-discovering-a-jwt-authentication-bypass-in-servicestack/
Detect and mitigate CVE-2020-28042 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →