From c2d1c828f20f90f21d9a34ade48aefe88d16a771 Mon Sep 17 00:00:00 2001 From: David Fritz <153015986+fritzdal@users.noreply.github.com> Date: Thu, 5 Mar 2026 12:36:17 -0500 Subject: [PATCH] Improve GHSA-pm7g-w2cf-q238 --- .../GHSA-pm7g-w2cf-q238.json | 75 +++++++++++++++++-- 1 file changed, 69 insertions(+), 6 deletions(-) diff --git a/advisories/unreviewed/2026/03/GHSA-pm7g-w2cf-q238/GHSA-pm7g-w2cf-q238.json b/advisories/unreviewed/2026/03/GHSA-pm7g-w2cf-q238/GHSA-pm7g-w2cf-q238.json index a9bb4afdabf0c..00d7c45cd8682 100644 --- a/advisories/unreviewed/2026/03/GHSA-pm7g-w2cf-q238/GHSA-pm7g-w2cf-q238.json +++ b/advisories/unreviewed/2026/03/GHSA-pm7g-w2cf-q238/GHSA-pm7g-w2cf-q238.json @@ -1,28 +1,91 @@ { "schema_version": "1.4.0", "id": "GHSA-pm7g-w2cf-q238", - "modified": "2026-03-05T00:31:11Z", + "modified": "2026-03-05T00:31:17Z", "published": "2026-03-05T00:31:11Z", "aliases": [ "CVE-2026-29000" ], + "summary": "CVE-2026-29000: Authentication Bypass in pac4j-jwt", "details": "pac4j-jwt versions prior to 4.5.9, 5.7.9, and 6.3.3 contain an authentication bypass vulnerability in JwtAuthenticator when processing encrypted JWTs that allows remote attackers to forge authentication tokens. Attackers who possess the server's RSA public key can create a JWE-wrapped PlainJWT with arbitrary subject and role claims, bypassing signature verification to authenticate as any user including administrators.", "severity": [ { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L" + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.pac4j:pac4j-jwt" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.0.0" + }, + { + "fixed": "4.5.9" + } + ] + } + ] }, { - "type": "CVSS_V4", - "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + "package": { + "ecosystem": "Maven", + "name": "org.pac4j:pac4j-jwt" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "5.0.0" + }, + { + "fixed": "5.7.9" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Maven", + "name": "org.pac4j:pac4j-jwt" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "6.0.0" + }, + { + "fixed": "6.3.3" + } + ] + } + ] } ], - "affected": [], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29000" }, + { + "type": "PACKAGE", + "url": "https://github.com/pac4j/pac4j" + }, + { + "type": "WEB", + "url": "https://github.com/pac4j/pac4j/blob/9f68430afa1201769c01bc5e24a58824cb208318/documentation/blog/security-advisory-pac4j-jwt-jwtauthenticator.md" + }, { "type": "WEB", "url": "https://www.codeant.ai/security-research/pac4j-jwt-authentication-bypass-public-key"