CVE-2017-2773 Unauthenticated JWT signing algorithm in multiple components
Incomplete validation logic in JSON Web Token (JWT) libraries can allow unprivileged attackers to impersonate other users in multiple components included in PCF Elastic Runtime.
Affected VMware Products and Versions
Severity is high unless otherwise noted.
- PCF Elastic Runtime:
- 1.6.x versions prior to 1.6.60
- 1.7.x versions prior to 1.7.41
- 1.8.x versions prior to 1.8.23
- 1.9.x versions prior to 1.9.1
- Note: PCF Elastic Runtime 1.10.x versions are not vulnerable to this issue.
Users of affected versions should apply the following mitigation:
- Releases that have fixed this issue include:
- PCF Elastic Runtime: 1.6.60, 1.7.41, 1.8.23, 1.9.1
2017-03-27: Initial vulnerability report published