nov/jose-php

nov/jose-php

Releases13

Frequency3 months 2 weeks

Last Release over 9 years ago

Stars139

PHP JOSE Library (JWT, JWS, JWE, JWK, JWK Set, JWK Thumbprint are supported)

Log in to subscribe

CVE History

CVE	Published	CVSS v3	CVSS v2
CVE-2016-5431 ↗	Aug 7, 2019Wednesday, 7 August 2019, 15:15	7.5 HIGH	5 MEDIUM
The PHP JOSE Library by Gree Inc. before version 2.2.1 is vulnerable to key confusion/algorithm substitution in the JWS component resulting in bypassing the signature verification via crafted tokens.
CVE-2016-5430 ↗	Sep 3, 2016Saturday, 3 September 2016, 20:59	5.3 MEDIUM	5 MEDIUM
The RSA 1.5 algorithm implementation in the JOSE_JWE class in JWE.php in jose-php before 2.2.1 lacks the Random Filling protection mechanism, which makes it easier for remote attackers to obtain cleartext data via a Million Message Attack (MMA).
CVE-2016-5429 ↗	Sep 3, 2016Saturday, 3 September 2016, 20:59	3.7 LOW	4.3 MEDIUM
jose-php before 2.2.1 does not use constant-time operations for HMAC comparison, which makes it easier for remote attackers to obtain sensitive information via a timing attack, related to JWE.php and JWS.php.