JSON Web Token - API Security Blog

Veeam Recovery Orchestrator Flaw Enables Forge of Valid JWT Tokens

June 14, 2024

github.com/hashicorp/vault is vulnerable to Improper Authorization. The vulnerability is due to the JWT auth method improperly validating the audience and role-bound claims, allowing invalid logins to ...

June 14, 2024

Improper Authentication

org.apache.submarine:submarine-commons-utils is vulnerable to Improper Authentication. The vulnerability is caused by a hard-coded JSON Web Token (JWT) key (SUBMARINE_SECRET_12345678901234567890) with ...

June 13, 2024

CVE-2024-5798 Vault Incorrectly Validated JSON Web Tokens (JWT) Audience Claims

Vault and Vault Enterprise did not properly validate the JSON Web Token (JWT) role-bound audience claim when using the Vault JWT auth method. This may have resulted in Vault validating a JWT the audie ...

June 13, 2024

RHEL 9 : python-jwt (Unpatched Vulnerability)

The remote Redhat Enterprise Linux 9 host has one or more packages installed that are affected by a vulnerability that has been acknowledged by the vendor but will not be patched. python-jwt: Key con ...

June 13, 2024

Exploit for CVE-2024-29855

CVE-2024-29855 Veeam Recovery Orchestrator Authentication Bypass (CVE-2024-29855) by Sina Kheirkhah (@SinSinology) of SummoningTeam (@SummoningTeam) Technical Analysis A root cause analysis of the vul ...

June 13, 2024

CVE-2024-32988

'OfferBox' App for Android versions 2.0.0 to 2.3.17 and 'OfferBox' App for iOS versions 2.1.7 to 2.6.14 use a hard-coded secret key for JWT. Secret key for JWT may be retrieved if ...

June 13, 2024

CVE-2024-5483 LearnPress – WordPress LMS Plugin <= 4.2.6.8 – Basic Information Disclosure via JSON API

The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.2.6.8 due to incorrect implementation of get_items_ ...

June 13, 2024