CVE-2020-15957

HIGH

DP3T-Backend-SDK < 1.1.1 - Improper Verification of Cryptographic Signature via JWT alg=none Bypass

Title source: llm

Description

An issue was discovered in DP3T-Backend-SDK before 1.1.1 for Decentralised Privacy-Preserving Proximity Tracing (DP3T). When it is configured to check JWT before uploading/publishing keys, it is possible to skip the signature check by providing a JWT token with alg=none.

References (3)

Core 3

Core References

Third Party Advisory x_refsource_misc

https://github.com/dp-3T/dp3t-sdk-backend

View Writeup ZIP pw:eip

Release Notes, Third Party Advisory x_refsource_misc

https://github.com/DP-3T/dp3t-sdk-backend/compare/v1.0.4...v1.1.0

Patch, Third Party Advisory x_refsource_misc

https://github.com/DP-3T/dp3t-sdk-backend/security/advisories/GHSA-5m5q-3qw2-3xf3

Scores

CVSS v3 7.5

EPSS 0.0155

EPSS Percentile 71.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Details

CWE

CWE-347

Status published

Products (1)

dp3t-backend-software_development_kit_project/dp3t-backend-software_development_kit < 1.1.1

Published Jul 30, 2020

Tracked Since Feb 18, 2026