[HIGH] RSA1_5 (RSAES-PKCS1-v1_5) decryption lacks implicit rejection, exposing a Bleichenbacher/Marvin padding oracle

PKSA-m2bn-5kyy-vzsk GHSA-3prj-6hqw-cm82

Affected package: web-token/jwt-framework

Affected version: <3.4.10|>=4.0.0,<4.0.7|>=4.1.0,<4.1.7

Reported by:
GitHub, FriendsOfPHP/security-advisories