CVE-2021-27884

MEDIUM5.1EPSS 0.06%

Weak JSON Web Token in yapi-vendor

Published: 3/26/2021Modified: 11/8/2023

Description

Weak JSON Web Token (JWT) signing secret generation in YMFE YApi through 1.9.2 allows recreation of other users' JWT tokens. This occurs because Math.random in Node.js is used as a source of randomness in jwt signing. Math.random does not provide cryptographically secure random numbers. This has been patched in version 1.9.3.

Affected packages (1)

npm/yapi-vendorfrom 0, < 1.9.3

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.1	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

References (4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-27884
ADVISORYhttps://securitylab.github.com/advisories/GHSL-2020-228-YMFE-yapi
WEBhttps://github.com/YMFE/yapi/issues/2117
WEBhttps://github.com/YMFE/yapi/issues/2263