ruby-jwt-decode-without-verify
Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token’s integrity is unknown. This means a malicious actor could forge a JWT token with any claims.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-345: Insufficient Verification of Data Authenticity
OWASP:
- A08:2021 - Software and Data Integrity Failures
ruby-jwt-exposed-data
The object is passed strictly to jsonwebtoken.sign(…) Make sure that sensitive information is not exposed through JWT token payload.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-522: Insufficiently Protected Credentials
OWASP:
- A02:2017 - Broken Authentication
- A04:2021 - Insecure Design
ruby-jwt-decode-without-verify
Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token’s integrity is unknown. This means a malicious actor could forge a JWT token with any claims.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-345: Insufficient Verification of Data Authenticity
OWASP:
- A08:2021 - Software and Data Integrity Failures
ruby-jwt-exposed-data
The object is passed strictly to jsonwebtoken.sign(…) Make sure that sensitive information is not exposed through JWT token payload.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-522: Insufficiently Protected Credentials
OWASP:
- A02:2017 - Broken Authentication
- A04:2021 - Insecure Design