Security Advisories - web-token/jwt-framework - Packagist.org

web-token/jwt-framework Security Advisories for 3.4.8 (4)

[MEDIUM] JWSVerifier uses algorithm from unprotected header, enabling algorithm confusion attacks

PKSA-ztxk-m2k2-bkgv GHSA-5739-39v2-5754

Affected version: <3.4.10|>=4.0.0,<4.0.7|>=4.1.0,<4.1.7

Reported by:
GitHub, FriendsOfPHP/security-advisories
[HIGH] RSA1_5 (RSAES-PKCS1-v1_5) decryption lacks implicit rejection, exposing a Bleichenbacher/Marvin padding oracle

PKSA-m2bn-5kyy-vzsk GHSA-3prj-6hqw-cm82

Affected version: <3.4.10|>=4.0.0,<4.0.7|>=4.1.0,<4.1.7

Reported by:
GitHub, FriendsOfPHP/security-advisories
[HIGH] Chacha20Poly1305 key-encryption algorithm discards the Poly1305 authentication tag, performing no authentication on decryption

PKSA-p7vh-1fk6-znth GHSA-jc38-x7x8-2xc8

Affected version: <3.4.10|>=4.0.0,<4.0.7|>=4.1.0,<4.1.7

Reported by:
GitHub, FriendsOfPHP/security-advisories
PBES2-HS*+A*KW unwrap accepts an unbounded p2c iteration count, enabling CPU-amplification denial of service

PKSA-815n-fyy9-rqkd

Affected version: <3.4.10|>=4.0.0,<4.0.7|>=4.1.0,<4.1.7

Reported by:
FriendsOfPHP/security-advisories