- Description
- cjwt is a C JSON Web Token (JWT) Implementation. Algorithm confusion occurs when a system improperly verifies the type of signature used, allowing attackers to exploit the lack of distinction between signing methods. If the system doesn't differentiate between an HMAC signed token and an RS/EC/PS signed token during verification, it becomes vulnerable to this kind of attack. For instance, an attacker could craft a token with the alg field set to "HS256" while the server expects an asymmetric algorithm like "RS256". The server might mistakenly use the wrong verification method, such as using a public key as the HMAC secret, leading to unauthorised access. For RSA, the key can be computed from a few signatures. For Elliptic Curve (EC), two potential keys can be recovered from one signature. This can be used to bypass the signature mechanism if an application relies on asymmetrically signed tokens. This issue has been addressed in version 2.3.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
- Source
- security-advisories@github.com
- NVD status
- Received
CVSS 4.0
- Type
- Secondary
- Base score
- 8.7
- Impact score
- -
- Exploitability score
- -
- Vector string
- CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
- Severity
- HIGH
CVSS 3.1
- Type
- Secondary
- Base score
- 9.1
- Impact score
- 5.2
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
- Severity
- CRITICAL
- security-advisories@github.com
- CWE-347
- Hype score
- Not currently trending
Another JWT Algorithm Confusion Vulnerability: CVE-2024-54150! https://t.co/8avFrjyS2Q
@0xBen10
7 Jan 2025
23 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Another JWT Algorithm Confusion Vulnerability: CVE-2024-54150 https://t.co/28k6pwxJbg https://t.co/jBarL4Cu8H
@secharvesterx
24 Dec 2024
41 Impressions
0 Retweets
1 Like
1 Bookmark
0 Replies
0 Quotes
Another JWT Algorithm Confusion Vulnerability: CVE-2024-54150 https://t.co/OG8mBrWxY3
@Tinolle
22 Dec 2024
27 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
PentesterLab Blog: Another JWT Algorithm Confusion Vulnerability: CVE-2024-54150 https://t.co/U7EtOQb3Bw
@tbbhunter
22 Dec 2024
1406 Impressions
2 Retweets
20 Likes
9 Bookmarks
1 Reply
0 Quotes
Top 5 Trending CVEs: 1 - CVE-2024-54150 2 - CVE-2023-34990 3 - CVE-2024-12356 4 - CVE-2024-56145 5 - CVE-2024-12727 #cve #cvetrends #cveshield #cybersecurity https://t.co/4Fua3CAN6W
@CVEShield
22 Dec 2024
161 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2024-54150 : Another JWT Algorithm Confusion 🌟Blog : https://t.co/51glHIzymO
@HackingTeam777
21 Dec 2024
274 Impressions
0 Retweets
3 Likes
0 Bookmarks
0 Replies
0 Quotes
Check out Pentesterlab's post: Another JWT Algorithm Confusion Vulnerability: CVE-2024-54150! https://t.co/Dvl2sTlu6g
@Pikafou34
21 Dec 2024
27 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Another JWT Algorithm Confusion Vulnerability: CVE-2024-54150 https://t.co/N8Rb1Untzz
@Dinosn
21 Dec 2024
3581 Impressions
9 Retweets
47 Likes
18 Bookmarks
0 Replies
0 Quotes
Another JWT Algorithm Confusion Vulnerability: CVE-2024-54150 https://t.co/2skWpoXNia
@_r_netsec
21 Dec 2024
1125 Impressions
3 Retweets
8 Likes
6 Bookmarks
0 Replies
0 Quotes
[CVE-2024-54150: HIGH] System vulnerability found in cjwt due to algorithm confusion during token signature verification allowing attackers to exploit the system's inability to distinguish between signing methods...#cybersecurity,#vulnerability https://t.co/mTBjImJTVp https://t.c
@CveFindCom
19 Dec 2024
11 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2024-54150 cjwt is a C JSON Web Token (JWT) Implementation. Algorithm confusion occurs when a system improperly verifies the type of signature used, allowing attackers to exploi… https://t.co/dO9Fen0Suq
@CVEnew
19 Dec 2024
306 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes