From eead1d8d5131ab74f48d989343f21a36cc15e386 Mon Sep 17 00:00:00 2001 From: Samuel Weirich <4281791+samuelwei@users.noreply.github.com> Date: Fri, 3 Jul 2026 15:38:45 +0200 Subject: [PATCH] Improve GHSA-jc38-x7x8-2xc8 --- .../GHSA-jc38-x7x8-2xc8.json | 160 +++++++++++++++++- 1 file changed, 156 insertions(+), 4 deletions(-) diff --git a/advisories/github-reviewed/2026/06/GHSA-jc38-x7x8-2xc8/GHSA-jc38-x7x8-2xc8.json b/advisories/github-reviewed/2026/06/GHSA-jc38-x7x8-2xc8/GHSA-jc38-x7x8-2xc8.json index 53999507da327..b013e31672bc9 100644 --- a/advisories/github-reviewed/2026/06/GHSA-jc38-x7x8-2xc8/GHSA-jc38-x7x8-2xc8.json +++ b/advisories/github-reviewed/2026/06/GHSA-jc38-x7x8-2xc8/GHSA-jc38-x7x8-2xc8.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-jc38-x7x8-2xc8", - "modified": "2026-06-18T21:09:18Z", + "modified": "2026-06-18T21:09:20Z", "published": "2026-06-18T21:09:17Z", "aliases": [], "summary": "PHP JWT Framework: JWSVerifier uses algorithm from unprotected header, enabling algorithm confusion attacks", @@ -9,7 +9,7 @@ "severity": [ { "type": "CVSS_V4", - "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P" + "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" } ], "affected": [ @@ -26,7 +26,159 @@ "introduced": "0" }, { - "last_affected": "4.2.99" + "fixed": "3.4.10" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "web-token/jwt-framework" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.0.0" + }, + { + "fixed": "4.0.7" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "web-token/jwt-framework" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.1.0" + }, + { + "fixed": "4.1.7" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "web-token/jwt-bundle" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.4.10" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "web-token/jwt-bundle" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.0.0" + }, + { + "fixed": "4.0.7" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "web-token/jwt-bundle" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.1.0" + }, + { + "fixed": "4.1.7" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "web-token/jwt-experimental" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.4.10" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "web-token/jwt-experimental" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.0.0" + }, + { + "fixed": "4.0.7" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "web-token/jwt-experimental" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.1.0" + }, + { + "fixed": "4.1.7" } ] } @@ -108,7 +260,7 @@ "cwe_ids": [ "CWE-345" ], - "severity": "HIGH", + "severity": "CRITICAL", "github_reviewed": true, "github_reviewed_at": "2026-06-18T21:09:17Z", "nvd_published_at": null