CVE-2021-27884: Use of Insufficiently Random Values

March 26, 2021 (updated July 22, 2021)

Weak JSON Web Token (JWT) signing secret generation in YMFE YApi allows recreation of other users’ JWT tokens. This occurs because Math.random in Node.js is used.

References

github.com/YMFE/yapi/issues/2117
github.com/YMFE/yapi/issues/2263
github.com/advisories/GHSA-2h3h-vw8r-82rp
nvd.nist.gov/vuln/detail/CVE-2021-27884
securitylab.github.com/advisories/GHSL-2020-228-YMFE-yapi

Code Behaviors & Features

Detect and mitigate CVE-2021-27884 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →