Detected use of the ‘none’ algorithm in a JWT token. The ‘none’ algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the ‘none’ algorithm. Instead, use an algorithm such as ‘HS256’. Likelihood: LOW Confidence: LOW CWE: - CWE-327: Use of a Broken or Risky Cryptographic Algorithm
OWASP: - A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
ruby-jwt-exposed-credentials
Password is exposed through JWT token payload. This is not encrypted and the password could be compromised. Do not store passwords in JWT tokens. Likelihood: LOW Confidence: LOW CWE: - CWE-522: Insufficiently Protected Credentials
OWASP: - A02:2017 - Broken Authentication
- A04:2021 - Insecure Design
ruby-jwt-hardcoded-secret
Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables) Likelihood: LOW Confidence: LOW CWE: - CWE-522: Insufficiently Protected Credentials
OWASP: - A02:2017 - Broken Authentication
- A04:2021 - Insecure Design