CVE-2017-18239: Exposure of Sensitive information in authentikat-jwt
9.8
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.6107%
CWE
-
Published
11/9/2018
Updated
1/9/2023
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| com.jason-goodwin:authentikat-jwt_2.12 | maven | <= 0.4.5 | 0.4.6 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stemmed from the use of providedSignature.contentEquals(signature) in the validation logic. This method performs a short-circuiting comparison, leaking timing information about how many characters matched. The fix replaced it with MessageDigest.isEqual, a constant-time comparison. The commit diff, CVE description, and GitHub issue #12 all explicitly identify this line as the root cause.