CVE-2024-57432

{"id": "CVE-2024-57432", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2025-01-31T17:15:15.993", "references": [{"url": "https://github.com/peccc/restful_vul/blob/main/mall_tiny_weak_jwt/mall_tiny_weak_jwt.md", "source": "cve@mitre.org"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-287"}]}], "descriptions": [{"lang": "en", "value": "macrozheng mall-tiny 1.0.1 suffers from Insecure Permissions. The application's JWT signing keys are hardcoded and do not change. User information is explicitly written into the JWT and used for subsequent privilege management, making it is possible to forge the JWT of any user to achieve authentication bypass."}, {"lang": "es", "value": "Macrozheng mall-tiny 1.0.1 presenta permisos inseguros. Las claves de firma JWT de la aplicaci\u00f3n est\u00e1n codificadas y no cambian. La informaci\u00f3n del usuario se escribe expl\u00edcitamente en el JWT y se utiliza para la gesti\u00f3n posterior de privilegios, lo que hace posible falsificar el JWT de cualquier usuario para lograr eludir la autenticaci\u00f3n."}], "lastModified": "2025-03-13T14:15:34.393", "sourceIdentifier": "cve@mitre.org"}