CVE-2021-46743 - Insecure Encryption Vulnerability

[KieranMellorNBS]

This project uses firebase/php-jwt@5.X.X which has an insecure encryption vulnerability as detailed below:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-46743

This vulnerability is remedied in firebase/php-jwt@6.X.X so can hopefully be fixed by upgrading to that version and making the required changed.

For reference:
firebase/php-jwt#351

[mxr576]

I was wondering why our always running security scanners (like via Local PHP Security Checker
did not raise this concern way sooner.

1. Possibility of Reintroducing HS256/RSA256 Type Confusion (CVE-2021-46743) firebase/php-jwt#351 (comment) This comment says using >= 5.5.0 should be fine and as of today, nothing prevents installing that version or above from the 5x branch
2. In addition, it looks like at the first sight only JWT::decode() had this vulnerability (this is what changes in the related PR confirms also), as of today this library only uses JWT::encode()

If I am right then adding firebase/php-jwt 6x support is nice to have.

[KieranMellorNBS]

Thanks for looking into this Dezső - agree with your findings that this is a false alarm. Closing the issue now.