Vulnerability CVE-2020-15957
Published: 2020-07-30

Description:
An issue was discovered in DP3T-Backend-SDK before 1.1.1 for Decentralised Privacy-Preserving Proximity Tracing (DP3T). When it is configured to check JWT before uploading/publishing keys, it is possible to skip the signature check by providing a JWT token with alg=none.

Type:

CWE-347

 (Improper Verification of Cryptographic Signature)

CVSS2 => (AV:N/AC:L/Au:N/C:N/I:P/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
5/10
2.9/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
None
Partial
None
Affected software
Dp3t-backend-software development kit project -> Dp3t-backend-software development kit 

 References:
https://github.com/dp-3T/dp3t-sdk-backend
https://github.com/DP-3T/dp3t-sdk-backend/compare/v1.0.4...v1.1.0
https://github.com/DP-3T/dp3t-sdk-backend/security/advisories/GHSA-5m5q-3qw2-3xf3
Copyright 2024, cxsecurity.com

 

Back to Top