Vulnerability Description
reason-jose is a JOSE implementation in ReasonML and OCaml.`Jose.Jws.validate` does not check HS256 signatures. This allows tampering of JWS header and payload data if the service does not perform additional checks. Such tampering could expose applications using reason-jose to authorization bypass. Applications relying on JWS claims assertion to enforce security boundaries may be vulnerable to privilege escalation. This issue has been patched in version 0.8.2.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Reason-Jose Project | Reason-Jose | < 0.8.2 |
Related Weaknesses (CWE)
References
- https://github.com/ulrikstrid/reason-jose/commit/36cd724db3cbec121757624da490723PatchThird Party Advisory
- https://github.com/ulrikstrid/reason-jose/releases/tag/v0.8.2Release NotesThird Party Advisory
- https://github.com/ulrikstrid/reason-jose/security/advisories/GHSA-7jj9-6qwv-wpmThird Party Advisory
- https://github.com/ulrikstrid/reason-jose/commit/36cd724db3cbec121757624da490723PatchThird Party Advisory
- https://github.com/ulrikstrid/reason-jose/releases/tag/v0.8.2Release NotesThird Party Advisory
- https://github.com/ulrikstrid/reason-jose/security/advisories/GHSA-7jj9-6qwv-wpmThird Party Advisory
FAQ
What is CVE-2023-23928?
CVE-2023-23928 is a vulnerability with a CVSS score of 5.9 (MEDIUM). reason-jose is a JOSE implementation in ReasonML and OCaml.`Jose.Jws.validate` does not check HS256 signatures. This allows tampering of JWS header and payload data if the service does not perform add...
How severe is CVE-2023-23928?
CVE-2023-23928 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-23928?
Check the references section above for vendor advisories and patch information. Affected products include: Reason-Jose Project Reason-Jose.