search

Vonage / vonage-php-sdk-video

Vonage Video SDK for PHP
Apache License 2.0
0 stars 2 forks source link

vonage/client-core-dev-enhancements/fixes-for-video: 1 vulnerabilities (highest severity is: 3.3) - autoclosed #3

Closed mend-for-github-com[bot] closed 1 year ago

mend-for-github-com[bot] commented 2 years ago
Vulnerable Library - vonage/client-core-dev-enhancements/fixes-for-video

Found in HEAD commit: da4bd4ed4538a42ca1610d23faf4276107b8f782

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in Remediation Available
CVE-2021-41106 Low 3.3 lcobucci/jwt-4.0.0 Transitive N/A

Details

CVE-2021-41106 ### Vulnerable Library - lcobucci/jwt-4.0.0

A simple library to work with JSON Web Token and JSON Web Signature

Library home page: https://api.github.com/repos/lcobucci/jwt/zipball/6d8665ccd924dc076a9b65d1ea8abe21d68f6958

Dependency Hierarchy: - vonage/client-core-dev-enhancements/fixes-for-video (Root Library) - :x: **lcobucci/jwt-4.0.0** (Vulnerable Library)

Found in HEAD commit: da4bd4ed4538a42ca1610d23faf4276107b8f782

Found in base branch: 0.x

### Vulnerability Details

JWT is a library to work with JSON Web Token and JSON Web Signature. Prior to versions 3.4.6, 4.0.4, and 4.1.5, users of HMAC-based algorithms (HS256, HS384, and HS512) combined with `Lcobucci\JWT\Signer\Key\LocalFileReference` as key are having their tokens issued/validated using the file path as hashing key - instead of the contents. The HMAC hashing functions take any string as input and, since users can issue and validate tokens, users are lead to believe that everything works properly. Versions 3.4.6, 4.0.4, and 4.1.5 have been patched to always load the file contents, deprecated the `Lcobucci\JWT\Signer\Key\LocalFileReference`, and suggest `Lcobucci\JWT\Signer\Key\InMemory` as the alternative. As a workaround, use `Lcobucci\JWT\Signer\Key\InMemory` instead of `Lcobucci\JWT\Signer\Key\LocalFileReference` to create the instances of one's keys.

Publish Date: 2021-09-28

URL: CVE-2021-41106

### CVSS 3 Score Details (3.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: Low - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41106

Release Date: 2021-09-28

Fix Resolution: lcobucci/jwt - 3.4.6,4.0.4,4.1.5

mend-for-github-com[bot] commented 1 year ago

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.