Fixed signature verification bypass issue. - Githubissues

reallylabs / jwt-scala

JSON Web Token (JWT) Scala implementation

Apache License 2.0

38 stars 30 forks source link

Fixed signature verification bypass issue. #14

Closed harupu closed 7 years ago

harupu commented 7 years ago

I've fixed these signature verification bypass issues:

Allows malicious user to bypass all type of verification by using None header
Allows malicious user to bypass RSXXX verification by using crafted header with HSXXX algorithm.

To maintain compatibility, this fix doesn't require extra parameters but try to check key type when using HSXXX algorithm.