SYM_PY_0005 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Authentication
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-287: Improper Authentication |
| OWASP | A02:2017 - Broken Authentication |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | Medium |
Description
The code decodes JWT tokens with signature verification disabled ('verify=False'), which means it does not check if the token has been tampered with. This allows accepting tokens that may have been altered by an attacker.
Impact
If exploited, attackers could forge or modify JWT tokens to impersonate users, escalate privileges, or bypass authentication and authorization controls. This can lead to unauthorized access to sensitive data or functionality within the application.