Insecure Encryption Affecting firebase/php-jwt package, versions <6.0.0
Threat Intelligence
Exploit Maturity
Proof of concept
EPSS
0.12% (47th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PHP-FIREBASEPHPJWT-2434829
- published 29 Mar 2022
- disclosed 29 Mar 2022
- credit paragonie-security
Introduced: 29 Mar 2022
CVE-2021-46743 Open this link in a new tabHow to fix?
Upgrade firebase/php-jwt
to version 6.0.0 or higher.
Overview
Affected versions of this package are vulnerable to Insecure Encryption due to an algorithm-confusion issue (e.g., RS256 / HS256) that exists via the kid
(aka Key ID) header when multiple types of keys are loaded in a key ring. This allows an attacker to forge tokens that validate under the incorrect key.
References
CVSS Scores
version 3.1