You are viewing a plain text version of this content. The canonical link for it is here.

Posted to server-dev@james.apache.org by "Tellier Benoit (JIRA)" <se...@james.apache.org> on 2017/06/12 08:54:00 UTC

[jira] [Created] (JAMES-2053) Check that we don't accept JWT tokens with a None algorithm

Tellier Benoit created JAMES-2053:
-------------------------------------

             Summary: Check that we don't accept JWT tokens with a None algorithm
                 Key: JAMES-2053
                 URL: https://issues.apache.org/jira/browse/JAMES-2053
             Project: James Server
          Issue Type: Bug
          Components: webadmin, JMAP
            Reporter: Tellier Benoit
            Assignee: Antoine Duprat


We should check that we don't accept JWT tokens with a None algorithm, i.e. without verifying the signature.
See https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/ for this security flaw.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org