DerScanner
Home / Vulnerability Database / Java : Unsafe JWT-token verification
Java

Java : Unsafe JWT-token verification

Classification

OWASP Top 10 2013
A1-Injection
OWASP Top 10 2017
A1-InjectionA8-Insecure Deserialization
OWASP Top 10 2021
A3-InjectionA8-Software and Data Integrity Failures
PCI DSS 4.0
6.2.4
CWE
CWE-1027

Overview

An unsafe way of verifying the JWT-token is used.

DefaultJwtParser method from io.jsonwebtoken.impl package verifies the token only if there is a signature. If a token without a signature is passed, the verification step will be skipped. This can lead to token tampering and leakage of confidential data.

References

  1. Hacking JSON Web Tokens (JWTs) - The Startup
  2. JSON Web Token for Java - OWASP Cheat Sheet Series
  3. CWE CATEGORY: OWASP Top Ten 2017 Category A1 - Injection
MEDIUM

DerScanner Severity Score

Do you want to fix Java : Unsafe JWT-token verification in your application?

See also

Java

Java : Race condition

Java

Java : Text4Shell Vulnerability

Java

Java : JNI usage