How severe is CVE-2021-41106?

This vulnerability has a severity rating of LOW with a CVSS score of 3.3 out of 10.

What type of vulnerability is CVE-2021-41106?

This is classified as CWE-345, which is a common weakness in software security.

CVE-2021-41106 - LOW Severity | CVSS 3.3

Vulnerability Description

JWT is a library to work with JSON Web Token and JSON Web Signature. Prior to versions 3.4.6, 4.0.4, and 4.1.5, users of HMAC-based algorithms (HS256, HS384, and HS512) combined with `Lcobucci\JWT\Signer\Key\LocalFileReference` as key are having their tokens issued/validated using the file path as hashing key - instead of the contents. The HMAC hashing functions take any string as input and, since users can issue and validate tokens, users are lead to believe that everything works properly. Versions 3.4.6, 4.0.4, and 4.1.5 have been patched to always load the file contents, deprecated the `Lcobucci\JWT\Signer\Key\LocalFileReference`, and suggest `Lcobucci\JWT\Signer\Key\InMemory` as the alternative. As a workaround, use `Lcobucci\JWT\Signer\Key\InMemory` instead of `Lcobucci\JWT\Signer\Key\LocalFileReference` to create the instances of one's keys.

Related Vulnerabilities

CVE-2017-2701

LOW

CVSS:3.3(Low)

Mate 9 with software MHA-AL00AC00B125 has a denial of service (DoS) vulnerability. An attacker tricks a user into installing a malicious application. Since the system does not verify the broadcasting ...

CWE-3452017

CVE-2018-15801

LOW

CVSS:3.3(Low)

Spring Security versions 5.1.x prior to 5.1.2 contain an authorization bypass vulnerability during JWT issuer validation. In order to be impacted, the same private key for an honest issuer and a malic...

CWE-3452018

CVE-2021-3349

LOW

CVSS:3.3(Low)

GNOME Evolution through 3.38.3 produces a "Valid signature" message for an unknown identifier on a previously trusted key because Evolution does not retrieve enough information from the GnuPG API. NOT...

CWE-3452021

CVE-2023-20570

LOW

CVSS:3.3(Low)

Insufficient verification of data authenticity in the configuration state machine may allow a local attacker to potentially load arbitrary bitstreams.

CWE-3452023

CVE-2025-23415

LOW

CVSS:3.1(Low)

An insufficient verification of data authenticity vulnerability exists in BIG-IP APM Access Policy endpoint inspection that may allow an attacker to bypass endpoint inspection checks for VPN connectio...

CWE-3452025

CVE-2019-20057

LOW

CVSS:3.7(Low)

com.proxyman.NSProxy.HelperTool in Privileged Helper Tool in Proxyman for macOS 1.11.0 and earlier allows an attacker to change the System Proxy and redirect all traffic to an attacker-controlled comp...

CWE-3452019