#VU101894 Insufficient technical documentation in jwt - CVE-2024-51744

Cybersecurity Help s.r.o.

Published: 2024-12-23

Vulnerability identifier: #VU101894

Vulnerability risk: Low

CVSSv4.0: 0.5 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-51744

CWE-ID: CWE-1059

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
jwt
Universal components / Libraries / Libraries used by multiple products

Vendor: golang-jwt

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due due to unclear documentation of the error behavior in "ParseWithClaims". A remote attacker can trick the victim into accepting invalid tokens, which can lead to information disclosure.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

jwt: 1.0.0 - 4.5.0

External links
https://github.com/golang-jwt/jwt/security/advisories/GHSA-29wx-vh33-7x7r
https://github.com/golang-jwt/jwt/commit/7b1c1c00a171c6c79bbdb40e4ce7d197060c1c2c

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM Security QRadar EDR

IBM Watson Speech Services Cartridge update for golang-jwt jwt-go

SUSE update for SUSE Manager Client Tools

SUSE update for Security update golang-github-prometheus-prometheus

Hashicorp Consul update for third-party components

Multiple vulnerabilities in IBM API Connect

Multiple vulnerabilities in IBM Edge Application Manager

Insufficient technical documentation in golang-jwt