Security Advisories - web-token/jwt-library - Packagist.org

web-token/jwt-library Security Advisories for 4.1.2 (4)

[MEDIUM] JWSVerifier uses algorithm from unprotected header, enabling algorithm confusion attacks

PKSA-58h1-qnck-61bt GHSA-5739-39v2-5754

Affected version: <3.4.10|>=4.0.0,<4.0.7|>=4.1.0,<4.1.7

Reported by:
GitHub, FriendsOfPHP/security-advisories
[HIGH] RSA1_5 (RSAES-PKCS1-v1_5) decryption lacks implicit rejection, exposing a Bleichenbacher/Marvin padding oracle

PKSA-237v-kv6c-dpkr GHSA-3prj-6hqw-cm82

Affected version: <3.4.10|>=4.0.0,<4.0.7|>=4.1.0,<4.1.7

Reported by:
GitHub, FriendsOfPHP/security-advisories
[HIGH] Chacha20Poly1305 key-encryption algorithm discards the Poly1305 authentication tag, performing no authentication on decryption

PKSA-66dc-42nb-26yy GHSA-jc38-x7x8-2xc8

Affected version: <3.4.10|>=4.0.0,<4.0.7|>=4.1.0,<4.1.7

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] PBES2-HS*+A*KW unwrap accepts an unbounded p2c iteration count, enabling CPU-amplification denial of service

PKSA-qw7k-npv6-3pbk GHSA-6vvh-pxr4-25r7

Affected version: <3.4.10|>=4.0.0,<4.0.7|>=4.1.0,<4.1.7

Reported by:
GitHub, FriendsOfPHP/security-advisories