Miggo Logo
Book a Demo
Miggo Vulnerability Database
CVE-2022-32430

CVE-2022-32430:
Hardcoded JWT Token in Lin CMS Spring Boot

7.5

CVSS Score

Basic Information

CVE ID
CVE-2022-32430
GHSA ID
GHSA-q72p-4w56-hx7h
EPSS Score
-
CWE
CWE-668
Published
7/22/2022
Updated
8/17/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
io.github.talelin:lin-cms-coremaven<= 0.2.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from a hardcoded JWT secret key in the application.yml configuration file (lin.cms.token-secret), not from specific code functions. While JWT-related functions would inherently be vulnerable due to using this static secret, no specific functions are explicitly mentioned in the provided vulnerability details. The root cause is the exposure through a misconfigured resource (CWE-668) rather than vulnerable code logic. The advisory directly references the configuration line but doesn't identify concrete functions in the codebase, making function-level attribution speculative without additional code context.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n ****ss *ontrol issu* in Lin *MS Sprin* *oot v*.*.* *llows *tt**k*rs to ****ss t** ***k*n* in*orm*tion *n* *un*tions wit*in t** *ppli**tion.

Reasoning

T** vuln*r**ility st*ms *rom * **r**o*** JWT s**r*t k*y in t** *ppli**tion.yml *on*i*ur*tion *il* (lin.*ms.tok*n-s**r*t), not *rom sp**i*i* *o** *un*tions. W*il* JWT-r*l*t** *un*tions woul* in**r*ntly ** vuln*r**l* *u* to usin* t*is st*ti* s**r*t, no