QwikSec

Security Database

CVE

CWE

Training

CVE Database
/

CVE-2021-4314

Back to search

CVE-2021-4314

Published: Jan 18, 2023

Modified: Apr 3, 2025

PUBLISHED

Description

It is possible to manipulate the JWT token without the knowledge of the JWT secret and authenticate without valid JWT token as any user. This is happening only in the situation when zOSMF doesn’t have the APAR PH12143 applied. This issue affects: 1.16 versions to 1.19. What happens is that the services using the ZAAS client or the API ML API to query will be deceived into believing the information in the JWT token is valid when it isn’t. It’s possible to use this to persuade the southbound service that different user is authenticated.

VendorProductVersions

Open Mainframe Project

Zowe

affected
1.16.0 - < 1.19.0

Weaknesses (CWE)

CWE-269

References

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now