An issue was discovered in DP3T-Backend-SDK before 1.1.1 for Decentralised Privacy-Preserving Proximity Tracing (DP3T). When it is configured to check JWT before uploading/publishing keys, it is possible to skip the signature check by providing a JWT token with alg=none.
References
Link | Resource |
---|---|
https://github.com/DP-3T/dp3t-sdk-backend/compare/v1.0.4...v1.1.0 | Release Notes Third Party Advisory |
https://github.com/DP-3T/dp3t-sdk-backend/security/advisories/GHSA-5m5q-3qw2-3xf3 | Patch Third Party Advisory |
https://github.com/dp-3T/dp3t-sdk-backend | Third Party Advisory |
Configurations
Configuration 1 (hide)
|
Information
Published : 2020-07-30 07:15
Updated : 2020-08-05 11:47
NVD link : CVE-2020-15957
Mitre link : CVE-2020-15957
JSON object : View
CWE
CWE-347
Improper Verification of Cryptographic Signature
Products Affected
dp3t-backend-software_development_kit_project
- dp3t-backend-software_development_kit