CVE-2024-11619

macrozheng mall JWT Token default key

CVSS 2.3 LOWEPSS 0.7%CWE-1394

In short

The macrozheng mall application uses a default encryption key for JWT tokens, which means an attacker who knows this key could potentially forge authentication tokens. While exploitation is difficult and requires specific knowledge, it undermines the security of user authentication.

Technical detail

The JWT Token Handler in macrozheng mall versions up to 1.0.3 relies on a hardcoded default cryptographic key for token generation and validation (CWE-1394). An attacker with knowledge of the default key and high technical complexity can forge valid JWT tokens to bypass authentication mechanisms, though practical exploitation remains challenging due to additional attack constraints.

Summary generated and translated by AI from the official description.

A vulnerability, which was classified as problematic, has been found in macrozheng mall up to 1.0.3. Affected by this issue is some unknown functionality of the component JWT Token Handler. The manipulation leads to use of default cryptographic key. The complexity of an attack is rather high. The exploitation is known to be difficult. The vendor was contacted early about this disclosure but did not respond in any way. Instead the issue posted on GitHub got deleted without any explanation.

CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Affected products

macrozheng · mall

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/macrozheng/mall/issues/880 https://vuldb.com/?ctiid.285842 https://vuldb.com/?id.285842 https://vuldb.com/?submit.444666