Candidate: CVE-2018-1000539
PublicDate: 2018-06-26 16:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000539
 https://github.com/nov/json-jwt/pull/62
 https://github.com/nov/json-jwt/commit/3393f394f271c87bd42ec23c300727b4437d1638
Description:
 Nov json-jwt version >= 0.5.0 && < 1.9.4 contains a CWE-347: Improper
 Verification of Cryptographic Signature vulnerability in Decryption of
 AES-GCM encrypted JSON Web Tokens that can result in Attacker can forge a
 authentication tag. This attack appear to be exploitable via network
 connectivity. This vulnerability appears to have been fixed in 1.9.4 and
 later.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=902721
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N [5.3 MEDIUM]


Patches_ruby-json-jwt:
upstream_ruby-json-jwt: released (1.9.4-1)
precise/esm_ruby-json-jwt: DNE
trusty_ruby-json-jwt: ignored (out of standard support)
trusty/esm_ruby-json-jwt: DNE
xenial_ruby-json-jwt: DNE
bionic_ruby-json-jwt: needed
focal_ruby-json-jwt: not-affected (1.11.0-1)
groovy_ruby-json-jwt: not-affected
hirsute_ruby-json-jwt: not-affected
impish_ruby-json-jwt: not-affected
jammy_ruby-json-jwt: not-affected
devel_ruby-json-jwt: not-affected