Vulnerability Description
Weak JSON Web Token (JWT) signing secret generation in YMFE YApi through 1.9.2 allows recreation of other users' JWT tokens. This occurs because Math.random in Node.js is used.
CVSS Score
5.1
MEDIUM
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ymfe | Yapi | <= 1.9.2 |
Related Weaknesses (CWE)
References
- https://github.com/YMFE/yapi/issues/2117Third Party Advisory
- https://securitylab.github.com/advisories/GHSL-2020-228-YMFE-yapiThird Party Advisory
- https://github.com/YMFE/yapi/issues/2117Third Party Advisory
- https://securitylab.github.com/advisories/GHSL-2020-228-YMFE-yapiThird Party Advisory
FAQ
What is CVE-2021-27884?
CVE-2021-27884 is a vulnerability with a CVSS score of 5.1 (MEDIUM). Weak JSON Web Token (JWT) signing secret generation in YMFE YApi through 1.9.2 allows recreation of other users' JWT tokens. This occurs because Math.random in Node.js is used.
How severe is CVE-2021-27884?
CVE-2021-27884 has been rated MEDIUM with a CVSS base score of 5.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-27884?
Check the references section above for vendor advisories and patch information. Affected products include: Ymfe Yapi.