CVE-2020-15084

描述

### Overview Versions before and including 5.3.3, we are not enforcing the **algorithms** entry to be specified in the configuration. When **algorithms** is not specified in the configuration, with the combination of jwks-rsa, it may lead to authorization bypass. ### Am I affected? You are affected by this vulnerability if all of the following conditions apply: You are using express-jwt AND You do not have **algorithms** configured in your express-jwt configuration. AND You are using libraries such as jwks-rsa as the **secret**. ### How to fix that? Specify **algorithms** in the express-jwt configuration. The following is an example of a proper configuration ``` const checkJwt = jwt({ secret: jwksRsa.expressJwtSecret({ rateLimit: true, jwksRequestsPerMinute: 5, jwksUri: `https://${DOMAIN}/.well-known/jwks.json` }), // Validate the audience and the issuer. audience: process.env.AUDIENCE, issuer: `https://${DOMAIN}/`, // restrict allowed algorithms algorithms: ['RS256'] }); ``` ### Will this update impact my users? The fix provided in patch will not affect your users if you specified the algorithms allowed. The patch now makes **algorithms** a required configuration. ### Credit IST Group

如何修補 CVE-2020-15084

要修補 CVE-2020-15084,請將受影響套件升級到下列已修補版本。

—升級至 6.0.0 或更新版本

CVE-2020-15084 正在被利用嗎?

低 — EPSS 為 0.2%,目前沒有觀察到大規模利用活動。

受影響套件(1)

from 0, < 6.0.0

CVSS 分數

來源

描述

如何修補 CVE-2020-15084

CVE-2020-15084 正在被利用嗎?

受影響套件(1)

CVSS 分數

參考連結(3)