SYM_JAVA_0154 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Use of a Broken or Risky Cryptographic Algorithm
| Property | Value |
|---|---|
| Language | java |
| Severity |  |
| CWE | CWE-327: Use of a Broken or Risky Cryptographic Algorithm |
| OWASP | A03:2017 - Sensitive Data Exposure |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description
The code is creating JWT tokens with the 'none' algorithm, which means the tokens are not cryptographically signed. This allows anyone to forge or modify tokens without detection, making authentication insecure.
Impact
If exploited, attackers can generate or alter JWT tokens to impersonate users or escalate privileges, bypassing authentication. This can lead to unauthorized access to sensitive data or critical actions in your application.