com.inversoft:prime-jwt@0.2.1 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the com.inversoft:prime-jwt package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • H
JWT Signature Bypass

com.inversoft:prime-jwt is a JWT signature encoder and decoder.

Affected versions of this package are vulneravle to JWT Signature Bypass. It allows any non-signed JWT signatures to be decoded and validated by the JWTDecoder class, even when a Verifier object is provided.

How to fix JWT Signature Bypass?

Upgrade prime-jwt to version 1.3.1 or higher.

[,1.3.1)
  • C
Signature Validation Bypass

com.inversoft:prime-jwt is a simple to use Java 8 JWT Library.

Affected versions of this package are vulnerable to Signature Validation Bypass. It contains an input validation vulnerability in JWTDecoder.decode that can result in a JWT that is decoded and thus implicitly validated even if it lacks a valid signature. This attack appears to be exploitable via an attacker crafting a token with a valid header and body and then requests it to be validated.

How to fix Signature Validation Bypass?

Upgrade com.inversoft:prime-jwt to version 1.3.0 or higher.

[,1.3.0)