Just a heads up on a problem we’ve found thanks to Tim, who has been reviewing some open source JWT / JWS implementations for fun.
Two days ago we rolled out a few new tags for the namshi/jose which fix a security vulnerability on the library.
The problem was introduced in this PR and would cause an attacker to be able to impersonate other users. If you are running on a vulnerable version you should upgrade immediately.
As far as installations are concerned:
1.0is not affected
1.1has been patched through
1.2has been patched through
2.0has been patched through
2.1has been patched through
Please check your
if you run a vulnerable version simply do a
so that you’ll be upgraded to a patched version.
Users of the LexikJwtAuthenticationBundle
can do the same as the library requires