CVE-2020-28042
EPSS 36.0%Signature validation bypass in ServiceStack
Published: 1/13/2021Modified: 12/2/2024
Description
ServiceStack before 5.9.2 mishandles JWT signature verification unless an application has a custom ValidateToken function that establishes a valid minimum length for a signature.
Affected packages (1)
- NuGet/ServiceStackfrom 0, < 5.9.2
References (7)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2020-28042
- WEBhttps://forums.servicestack.net/t/servicestack-v5-9-2-released/8850
- WEBhttps://github.com/ServiceStack/ServiceStack/commit/540d4060e877a03ae95343c1a8560a26768585ee
- WEBhttps://snyk.io/vuln/SNYK-DOTNET-SERVICESTACK-1035519
- WEBhttps://www.nuget.org/packages/ServiceStack
- WEBhttps://www.shielder.it/advisories/servicestack-jwt-signature-verification-bypass
- WEBhttps://www.shielder.it/blog/2020/11/re-discovering-a-jwt-authentication-bypass-in-servicestack