A vulnerability has been discovered in pac4j-jwt (JwtAuthenticator) which could allow for authentication bypass. pac4j-jwt is a Java module within the pac4j security framework designed for generating, validating, and managing JSON Web Tokens (JWT) to secure web applications and services. It supports signed and encrypted tokens, primarily using the Nimbus JOSE+JWT library to handle authentication, profile generation, and signature configuration. Successful exploitation of this vulnerability could allow an unauthenticated, remote attacker to bypass authentication and authenticate as any user (including administrator), with any role, without knowing a single secret.
–
Read More – Cyber Security Advisories – MS-ISAC