CVE-2021-27884 Information

Description

Weak JSON Web Token (JWT) signing secret generation in YMFE YApi through 1.9.2 allows recreation of other users’ JWT tokens. This occurs because Math.random in Node.js is used.

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Reference

https://github.com/YMFE/yapi/issues/2117 https://securitylab.github.com/advisories/GHSL-2020-228-YMFE-yapi

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

LOW

Availability Impact

LOW

Base Score

NONE

Base Severity

5.1