CVE-2020-28042
MEDIUMServiceStack < 5.9.2 - JWT Signature Verification Bypass
Title source: llmExploitation Summary
EIP tracks 1 public exploit for CVE-2020-28042. PoCs published by z-bool.
AI-analyzed exploit summary This repository contains a Go-based tool for testing and exploiting various JWT vulnerabilities, including CVE-2020-28042 (empty signature attack). It supports multiple attack modes such as modifying the algorithm to 'none', signature validation bypass, and key injection.
Description
ServiceStack before 5.9.2 mishandles JWT signature verification unless an application has a custom ValidateToken function that establishes a valid minimum length for a signature.
Exploits (1)
This repository contains a Go-based tool for testing and exploiting various JWT vulnerabilities, including CVE-2020-28042 (empty signature attack). It supports multiple attack modes such as modifying the algorithm to 'none', signature validation bypass, and key injection.
References (4)
Scores
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N