Vulnerabilities > CVE-2023-23928 - Unspecified vulnerability in Reason-Jose Project Reason-Jose
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
reason-jose is a JOSE implementation in ReasonML and OCaml.`Jose.Jws.validate` does not check HS256 signatures. This allows tampering of JWS header and payload data if the service does not perform additional checks. Such tampering could expose applications using reason-jose to authorization bypass. Applications relying on JWS claims assertion to enforce security boundaries may be vulnerable to privilege escalation. This issue has been patched in version 0.8.2.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 1 |
References
- https://github.com/ulrikstrid/reason-jose/commit/36cd724db3cbec121757624da49072386bd869e5
- https://github.com/ulrikstrid/reason-jose/commit/36cd724db3cbec121757624da49072386bd869e5
- https://github.com/ulrikstrid/reason-jose/releases/tag/v0.8.2
- https://github.com/ulrikstrid/reason-jose/releases/tag/v0.8.2
- https://github.com/ulrikstrid/reason-jose/security/advisories/GHSA-7jj9-6qwv-wpm7
- https://github.com/ulrikstrid/reason-jose/security/advisories/GHSA-7jj9-6qwv-wpm7