SYM_PY_0006 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Use of a Broken or Risky Cryptographic Algorithm
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-327: Use of a Broken or Risky Cryptographic Algorithm |
| OWASP | A03:2017 - Sensitive Data Exposure |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | Medium |
Description
The code is allowing or generating JWT tokens using the 'none' algorithm, which means the token is not cryptographically signed. This leaves the application vulnerable because anyone can create or modify tokens that will be accepted as valid.
Impact
If exploited, an attacker could forge JWT tokens to impersonate users or escalate privileges, bypassing authentication and authorization checks. This could lead to unauthorized access to sensitive data or critical functions, putting both user data and system integrity at risk.