CVE-2021-27884 — Weak JSON Web Token in yapi-vendor

Description

Weak JSON Web Token (JWT) signing secret generation in YMFE YApi through 1.9.2 allows recreation of other users' JWT tokens. This occurs because Math.random in Node.js is used as a source of randomness in jwt signing. Math.random does not provide cryptographically secure random numbers. This has been patched in version 1.9.3.

How to fix CVE-2021-27884

To remediate CVE-2021-27884, upgrade the affected package to a fixed version below.

—upgrade to 1.9.3 or later

Is CVE-2021-27884 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 1.9.3

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.1	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-27884
ADVISORYsecuritylab.github.com/advisories/GHSL-2020-228-YMFE-yapi
WEBgithub.com/YMFE/yapi/issues/2117
WEBgithub.com/YMFE/yapi/issues/2263