CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda

CVE-2023-6905

CVE-2023-6903

CVE-2023-6904

CVE-2023-3907

reason-jose is a JOSE implementation in ReasonML and OCaml.`Jose.Jws.validate` does not check HS256 signatures. This allows tampering of JWS header and payload data if the service does not perform additional checks. Such tampering could expose applications using reason-jose to authorization bypass. Applications relying on JWS claims assertion to enforce security boundaries may be vulnerable to privilege escalation. This issue has been patched in version 0.8.2.

**Impact**

Jose.Jws.validate does not check HS256 signatures. This allows tampering of JWS header and payload data if the service does not perform additional checks.

Such tampering could expose applications using reason-jose to authorisation bypass.  
Applications relying on JWS claims assertion to enforce security boundaries may be vulnerable to privilege escalation.

**Patches**

0.8.2

**Workarounds**

If you can avoid using symmetric keys and instead use asymmetric keys that should be working as intended already.

Headline

CVE-2023-23928: Jws ignores signature checks

CVE: Latest News