Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-mx47-h5fv-ghwh: light-oauth2 missing public key verification

light-oauth2 before version 2.1.27 obtains the public key without any verification. This could allow attackers to authenticate to the application with a crafted JWT token.

ghsa
#git#oauth#auth

light-oauth2 missing public key verification

High severity GitHub Reviewed Published Oct 25, 2023 to the GitHub Advisory Database • Updated Oct 27, 2023

Related news

CVE-2023-31580: A certificate verification issue when get the public key used to verify JWT. · Issue #369 · networknt/light-oauth2

light-oauth2 before version 2.1.27 obtains the public key without any verification. This could allow attackers to authenticate to the application with a crafted JWT token.