Miggo Logo
Miggo Vulnerability Database
CVE-2017-18239

CVE-2017-18239: Exposure of Sensitive information in authentikat-jwt

9.8

CVSS Score
3.0

Basic Information

CVE ID
CVE-2017-18239
GHSA ID
GHSA-3rhm-67j6-42jq
EPSS Score
0.6107%
CWE
-
Published
11/9/2018
Updated
1/9/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
com.jason-goodwin:authentikat-jwt_2.12maven<= 0.4.50.4.6

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from the use of providedSignature.contentEquals(signature) in the validation logic. This method performs a short-circuiting comparison, leaking timing information about how many characters matched. The fix replaced it with MessageDigest.isEqual, a constant-time comparison. The commit diff, CVE description, and GitHub issue #12 all explicitly identify this line as the root cause.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* tim*-s*nsitiv* *qu*lity ****k on t** JWT si*n*tur* in t** JsonW**Tok*n.v*li**t* m*t*o* in m*in/s**l*/*ut**ntik*t/jwt/JsonW**Tok*n.s**l* in *ut**ntik*t-jwt (*k* *om.j*son-*oo*win/*ut**ntik*t-jwt) v*rsion *.*.* *n* **rli*r *llows t** suppli*r o* * JW

Reasoning

T** vuln*r**ility st*mm** *rom t** us* o* `provi***Si*n*tur*.*ont*nt*qu*ls(si*n*tur*)` in t** v*li**tion lo*i*. T*is m*t*o* p*r*orms * s*ort-*ir*uitin* *omp*rison, l**kin* timin* in*orm*tion **out *ow m*ny ***r**t*rs m*t****. T** *ix r*pl**** it wit*