Home > Vulnerability Database > CVE-2023-23928

Mend.io Vulnerability Database

CVE-2023-23928

Date: January 31, 2023

reason-jose is a JOSE implementation in ReasonML and OCaml."Jose.Jws.validate" does not check HS256 signatures. This allows tampering of JWS header and payload data if the service does not perform additional checks. Such tampering could expose applications using reason-jose to authorization bypass. Applications relying on JWS claims assertion to enforce security boundaries may be vulnerable to privilege escalation. This issue has been patched in version 0.8.2.

Language: OCAML

Severity Score

5.9

Related Resources (5)

Url: https://github.com/ulrikstrid/reason-jose/security/advisories/GHSA-7jj9-6qwv-wpm7

Url: https://github.com/ulrikstrid/reason-jose/releases/tag/v0.8.2

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-23928

Url: https://github.com/ulrikstrid/reason-jose/commit/36cd724db3cbec121757624da49072386bd869e5

Url: https://www.mend.io/vulnerability-database/CVE-2023-23928

Severity Score

5.9

Weakness Type (CWE)

Improper Verification of Cryptographic Signature

CWE-347

CVSS v3.1

Base Score:	5.9
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	HIGH
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2023-23928

Date: January 31, 2023

Language: OCAML

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?