Loading HuntDB...

Vulnerability Intelligence by wss.sh

Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News

More Sources

HackerOne Reports

Bug bounty disclosures

WordPress Vulnerabilities

WordPress plugins & themes

Tools & Data

Trending Insights

Popular vulnerabilities

Top Critical CVEs

Highest risk vulnerabilities

Advanced Search

Filter & search CVEs

Product Inventory

Software & vendors

Discover domains across TLDs

Sign In Sign Up

GHSA-jrmv-h6h9-gcm3

GitHub Security Advisory

⚠ Unreviewed MODERATE Has CVE

Advisory Details

It is possible to manipulate the JWT token without the knowledge of the JWT secret and authenticate without valid JWT token as any user. This is happening only in the situation when zOSMF doesn’t have the APAR PH12143 applied. This issue affects: 1.16 versions to 1.19. What happens is that the services using the ZAAS client or the API ML API to query will be deceived into believing the information in the JWT token is valid when it isn’t. It’s possible to use this to persuade the southbound service that different user is authenticated.

Related CVEs

CVE-2021-4314

Key Information

GHSA ID

GHSA-jrmv-h6h9-gcm3

Published

July 6, 2023 7:24 PM

Last Modified

April 3, 2025 9:32 PM

CVSS Score

5.0 /10

Primary Ecosystem

Unknown

Primary Package

Unknown

GitHub Reviewed

✗ No

Dataset

Last updated: November 25, 2025 6:29 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.