CVE-2017-2773 Unauthenticated JWT signing algorithm in multiple components


Severity

High

Vendor

Pivotal

Description

Incomplete validation logic in JSON Web Token (JWT) libraries can allow unprivileged attackers to impersonate other users in multiple components included in PCF Elastic Runtime.

Affected Pivotal Products and Versions

Severity is high unless otherwise noted.

  • PCF Elastic Runtime:
    • 1.6.x versions prior to 1.6.60
    • 1.7.x versions prior to 1.7.41
    • 1.8.x versions prior to 1.8.23
    • 1.9.x versions prior to 1.9.1
  • Note: PCF Elastic Runtime 1.10.x versions are not vulnerable to this issue.
Mitigation

Users of affected versions should apply the following mitigation:

  • Releases that have fixed this issue include:
    • PCF Elastic Runtime: 1.6.60, 1.7.41, 1.8.23, 1.9.1
References
History

2017-03-27: Initial vulnerability report published