CVE-2023-23928 MEDIUM

CVE-2023-23928: reason-jose ignores signature checks

Vendor Ulrikstrid
Product reason-jose
Weakness CWE-347
Published February 1, 2023
Last update March 10, 2025

CVSS base score

5.9/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction None
Confidentiality Low
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N

What the vulnerability does

01Description

reason-jose is a JOSE implementation in ReasonML and OCaml.`Jose.Jws.validate` does not check HS256 signatures. This allows tampering of JWS header and payload data if the service does not perform additional checks. Such tampering could expose applications using reason-jose to authorization bypass. Applications relying on JWS claims assertion to enforce security boundaries may be vulnerable to privilege escalation. This issue has been patched in version 0.8.2.

Key dates

02Disclosure timeline

February 1, 2023 CVE published
March 10, 2025 Record updated

Related vulnerabilities

04Related CVE