CVE-2019-18848 - OpenCVE

The json-jwt gem before 1.11.0 for Ruby lacks an element count during the splitting of a JWE string.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:N/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Debian	Debian Linux
Json-jwt Project	Json-jwt

Configuration 1 [-]

cpe:2.3:a:json-jwt_project:json-jwt:*:*:*:*:*:ruby:*:*

Configuration 2 [-]

cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/nov/json-jwt/commit/ada16e772906efdd035e3df49cb2ae372f0f948a
https://github.com/nov/json-jwt/compare/v1.10.2...v1.11.0
https://lists.debian.org/debian-lts-announce/2020/10/msg00001.html

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2019-11-12T14:23:54

Updated: 2024-08-05T02:02:39.724Z

Reserved: 2019-11-11T00:00:00

Link: CVE-2019-18848

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2019-11-12T15:15:10.880

Modified: 2022-05-03T14:28:18.317

Link: CVE-2019-18848

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "The json-jwt gem before 1.11.0 for Ruby lacks an element count during the splitting of a JWE string."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-10-01T14:06:14", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/nov/json-jwt/commit/ada16e772906efdd035e3df49cb2ae372f0f948a"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/nov/json-jwt/compare/v1.10.2...v1.11.0"}, {"name": "[debian-lts-announce] 20201001 [SECURITY] [DLA 2390-1] ruby-json-jwt security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2020/10/msg00001.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-18848", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The json-jwt gem before 1.11.0 for Ruby lacks an element count during the splitting of a JWE string."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/nov/json-jwt/commit/ada16e772906efdd035e3df49cb2ae372f0f948a", "refsource": "MISC", "url": "https://github.com/nov/json-jwt/commit/ada16e772906efdd035e3df49cb2ae372f0f948a"}, {"name": "https://github.com/nov/json-jwt/compare/v1.10.2...v1.11.0", "refsource": "MISC", "url": "https://github.com/nov/json-jwt/compare/v1.10.2...v1.11.0"}, {"name": "[debian-lts-announce] 20201001 [SECURITY] [DLA 2390-1] ruby-json-jwt security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2020/10/msg00001.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T02:02:39.724Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/nov/json-jwt/commit/ada16e772906efdd035e3df49cb2ae372f0f948a"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/nov/json-jwt/compare/v1.10.2...v1.11.0"}, {"name": "[debian-lts-announce] 20201001 [SECURITY] [DLA 2390-1] ruby-json-jwt security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2020/10/msg00001.html"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-18848", "datePublished": "2019-11-12T14:23:54", "dateReserved": "2019-11-11T00:00:00", "dateUpdated": "2024-08-05T02:02:39.724Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:json-jwt_project:json-jwt:*:*:*:*:*:ruby:*:*", "matchCriteriaId": "B10476D4-4E18-4530-97F0-BE8DF7CBBD64", "versionEndExcluding": "1.11.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The json-jwt gem before 1.11.0 for Ruby lacks an element count during the splitting of a JWE string."}, {"lang": "es", "value": "La gema json-jwt versiones anteriores a 1.11.0 para Ruby, carece de un conteo de elementos durante la divisi\u00f3n de una cadena JWE."}], "id": "CVE-2019-18848", "lastModified": "2022-05-03T14:28:18.317", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-11-12T15:15:10.880", "references": [{"source": "cve@mitre.org", "tags": ["Patch"], "url": "https://github.com/nov/json-jwt/commit/ada16e772906efdd035e3df49cb2ae372f0f948a"}, {"source": "cve@mitre.org", "tags": ["Patch"], "url": "https://github.com/nov/json-jwt/compare/v1.10.2...v1.11.0"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2020/10/msg00001.html"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "nvd@nist.gov", "type": "Primary"}]}