CVE-2019-1010263 - OpenCVE

Perl Crypt::JWT prior to 0.023 is affected by: Incorrect Access Control. The impact is: allow attackers to bypass authentication by providing a token by crafting with hmac(). The component is: JWT.pm, line 614. The attack vector is: network connectivity. The fixed version is: after commit b98a59b42ded9f9e51b2560410106207c2152d6c.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Perl Crypt\	\

Configuration 1 [-]

cpe:2.3:a:perl_crypt\:\:jwt_project:perl_crypt\:\:jwt:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/DCIT/perl-Crypt-JWT/commit/b98a59b42ded9f9e51b2560410106207c2152d6c
https://www.openwall.com/lists/oss-security/2018/09/07/1

History

No history.

MITRE

Status: PUBLISHED

Assigner: dwf

Published: 2019-07-17T20:32:15

Updated: 2024-08-05T03:07:18.361Z

Reserved: 2019-03-20T00:00:00

Link: CVE-2019-1010263

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2019-07-17T21:15:10.780

Modified: 2020-08-24T17:37:01.140

Link: CVE-2019-1010263

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Perl Crypt::JWT", "vendor": "Perl Crypt::JWT", "versions": [{"status": "affected", "version": "prior to 0.023 [fixed: after commit b98a59b42ded9f9e51b2560410106207c2152d6c]"}]}], "descriptions": [{"lang": "en", "value": "Perl Crypt::JWT prior to 0.023 is affected by: Incorrect Access Control. The impact is: allow attackers to bypass authentication by providing a token by crafting with hmac(). The component is: JWT.pm, line 614. The attack vector is: network connectivity. The fixed version is: after commit b98a59b42ded9f9e51b2560410106207c2152d6c."}], "problemTypes": [{"descriptions": [{"description": "Incorrect Access Control", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-07-17T20:32:15", "orgId": "7556d962-6fb7-411e-85fa-6cd62f095ba8", "shortName": "dwf"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.openwall.com/lists/oss-security/2018/09/07/1"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/DCIT/perl-Crypt-JWT/commit/b98a59b42ded9f9e51b2560410106207c2152d6c"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve-assign@distributedweaknessfiling.org", "ID": "CVE-2019-1010263", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Perl Crypt::JWT", "version": {"version_data": [{"version_value": "prior to 0.023 [fixed: after commit b98a59b42ded9f9e51b2560410106207c2152d6c]"}]}}]}, "vendor_name": "Perl Crypt::JWT"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Perl Crypt::JWT prior to 0.023 is affected by: Incorrect Access Control. The impact is: allow attackers to bypass authentication by providing a token by crafting with hmac(). The component is: JWT.pm, line 614. The attack vector is: network connectivity. The fixed version is: after commit b98a59b42ded9f9e51b2560410106207c2152d6c."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Incorrect Access Control"}]}]}, "references": {"reference_data": [{"name": "https://www.openwall.com/lists/oss-security/2018/09/07/1", "refsource": "MISC", "url": "https://www.openwall.com/lists/oss-security/2018/09/07/1"}, {"name": "https://github.com/DCIT/perl-Crypt-JWT/commit/b98a59b42ded9f9e51b2560410106207c2152d6c", "refsource": "MISC", "url": "https://github.com/DCIT/perl-Crypt-JWT/commit/b98a59b42ded9f9e51b2560410106207c2152d6c"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T03:07:18.361Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.openwall.com/lists/oss-security/2018/09/07/1"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/DCIT/perl-Crypt-JWT/commit/b98a59b42ded9f9e51b2560410106207c2152d6c"}]}]}, "cveMetadata": {"assignerOrgId": "7556d962-6fb7-411e-85fa-6cd62f095ba8", "assignerShortName": "dwf", "cveId": "CVE-2019-1010263", "datePublished": "2019-07-17T20:32:15", "dateReserved": "2019-03-20T00:00:00", "dateUpdated": "2024-08-05T03:07:18.361Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:perl_crypt\\:\\:jwt_project:perl_crypt\\:\\:jwt:*:*:*:*:*:*:*:*", "matchCriteriaId": "59B69497-35F7-4591-8B0D-1F1C62E3811C", "versionEndExcluding": "0.023", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Perl Crypt::JWT prior to 0.023 is affected by: Incorrect Access Control. The impact is: allow attackers to bypass authentication by providing a token by crafting with hmac(). The component is: JWT.pm, line 614. The attack vector is: network connectivity. The fixed version is: after commit b98a59b42ded9f9e51b2560410106207c2152d6c."}, {"lang": "es", "value": "Perl Crypt::JWT anterior a versi\u00f3n 0.023, est\u00e1 afectado por: Control de Acceso Incorrecto. El impacto es: permitir a los atacantes omitir la autenticaci\u00f3n proporcionando un token para dise\u00f1ar con la funci\u00f3n hmac(). El componente es: el archivo JWT.pm, l\u00ednea 614. El vector de ataque es: conectividad de red. La versi\u00f3n corregida es: despu\u00e9s de commit b98a59b42ded9f9e51b2560410106207c2152d6c."}], "id": "CVE-2019-1010263", "lastModified": "2020-08-24T17:37:01.140", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-07-17T21:15:10.780", "references": [{"source": "josh@bress.net", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/DCIT/perl-Crypt-JWT/commit/b98a59b42ded9f9e51b2560410106207c2152d6c"}, {"source": "josh@bress.net", "tags": ["Exploit", "Mailing List", "Third Party Advisory"], "url": "https://www.openwall.com/lists/oss-security/2018/09/07/1"}], "sourceIdentifier": "josh@bress.net", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-347"}], "source": "nvd@nist.gov", "type": "Primary"}]}