Miggo Logo
Miggo Vulnerability Database
CVE-2017-10862

CVE-2017-10862: Insufficient Data Verification in io.really:jwt-scala

5.3

CVSS Score
3.0

Basic Information

CVE ID
CVE-2017-10862
GHSA ID
GHSA-9pxm-8g95-q5xr
EPSS Score
0.45828%
CWE
CWE-345
Published
5/17/2022
Updated
1/30/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
io.really:jwt-scalamaven<= 1.2.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper algorithm handling during JWT verification. The JVN advisory explicitly states the root cause is improper processing of JWT headers, particularly the 'alg' field. The decode function (JWT.decode) is responsible for signature validation but didn't properly enforce algorithm consistency between the header and verification logic. This matches common JWT vulnerabilities where the 'alg: none' attack or algorithm confusion could occur. The library's documentation shows decode is the primary verification entry point, and the CWE-345 classification confirms insufficient authenticity checks during this process.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

jwt-s**l* *.*.* *n* **rli*r **ils to v*ri*y tok*n si*n*tur*s *orr**tly w*i** m*y l*** to *n *tt**k*r **in* **l* to p*ss sp**i*lly *r**t** JWT **t* *s * *orr**tly si*n** tok*n.

Reasoning

T** vuln*r**ility st*ms *rom improp*r *l*orit*m **n*lin* *urin* JWT v*ri*i**tion. T** JVN **visory *xpli*itly st*t*s t** root **us* is improp*r pro**ssin* o* JWT *****rs, p*rti*ul*rly t** '*l*' *i*l*. T** `***o**` *un*tion (`JWT.***o**`) is r*sponsi*