CVE-2018-1000539

{"id": "CVE-2018-1000539", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2018-06-26T16:29:02.163", "references": [{"url": "https://github.com/nov/json-jwt/pull/62", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.debian.org/security/2018/dsa-4283", "source": "cve@mitre.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-347"}]}], "descriptions": [{"lang": "en", "value": "Nov json-jwt version >= 0.5.0 && < 1.9.4 contains a CWE-347: Improper Verification of Cryptographic Signature vulnerability in Decryption of AES-GCM encrypted JSON Web Tokens that can result in Attacker can forge a authentication tag. This attack appear to be exploitable via network connectivity. This vulnerability appears to have been fixed in 1.9.4 and later."}, {"lang": "es", "value": "Nov json-jwt, en versiones 0.5.0 hasta la 1.9.4 contiene una vulnerabilidad CWE-347: verificaci\u00f3n incorrecta de firmas criptogr\u00e1ficas en el descifrado de tokens web JSON cifrados por AES-GCM que puede resultar en que un atacante falsifique una etiqueta de autenticaci\u00f3n. Este ataque parece ser explotable mediante conectividad de red. La vulnerabilidad parece haber sido solucionada en las versiones 1.9.4 y siguientes."}], "lastModified": "2018-09-02T10:29:00.290", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:json-jwt_project:json-jwt:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DE657A1B-79DE-4562-BB57-5C59DED272A7", "versionEndExcluding": "1.9.4", "versionStartIncluding": "0.5.0"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}