[MAVEN:GHSA-MX47-H5FV-GHWH] light-oauth2 missing public key verification

Severity Moderate

Affected Packages 1

Fixed Packages 1

CVEs 1

light-oauth2 before version 2.1.27 obtains the public key without any verification. This could allow attackers to authenticate to the application with a crafted JWT token.

Package	Affected Version
pkg:maven/com.networknt/light-oauth2	< 2.1.27

Package	Fixed Version
pkg:maven/com.networknt/light-oauth2	= 2.1.27

ID: MAVEN:GHSA-MX47-H5FV-GHWH
Severity: moderate
URL: https://github.com/advisories/GHSA-mx47-h5fv-ghwh
Published: 2023-10-25T18:32:21
(10 months ago)
Modified: 2023-11-10T05:03:56
(10 months ago)
Rights: Maven Security Team

Source	# ID	Name	URL
			https://nvd.nist.gov/vuln/detail/CVE-2023-31580
			https://github.com/networknt/light-oauth2/issues/369
			https://github.com/KANIXB/JWTIssues/blob/main/Certification%20Verification%20issue%20in%20light-oauth2.md
			https://github.com/advisories/GHSA-mx47-h5fv-ghwh

Type	Package URL	Namespace	Name / Product	Version	Distribution / Platform	Arch	Patch / Fix
Affected	pkg:maven/com.networknt/light-oauth2	com.networknt	light-oauth2	< 2.1.27
Fixed	pkg:maven/com.networknt/light-oauth2	com.networknt	light-oauth2	= 2.1.27

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date