Main Vulnerability Database SB2022091935

SB2022091935 - Insufficient verification of data authenticity in jwcrypto

Published: September 19, 2022 Updated: April 8, 2026

Security Bulletin ID SB2022091935

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Insufficient verification of data authenticity (CVE-ID: CVE-2022-3102)

The vulnerability allows a remote attacker to bypass authentication or authorization.

The vulnerability exists due to improper token type handling in the JWT validation logic when processing a substituted token. A remote attacker can supply a crafted JWE in place of an expected signed JWS to bypass authentication or authorization.

Exploitation requires that the validating application has access to the private key during token validation and accepts tokens without separating signing and decryption key usage.

Remediation

Install update from vendor's website.

References

https://github.com/latchset/jwcrypto/security/advisories/GHSA-gwp4-mcv4-w95j