Use of a Broken or Risky Cryptographic Algorithm
| Property | |
|---|---|
| Language | java |
| Severity |  |
| CWE | CWE-327: Use of a Broken or Risky Cryptographic Algorithm |
| OWASP | A03:2017 - Sensitive Data Exposure |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description#
The code is creating JWT tokens with the ’none’ algorithm, which means the tokens are not cryptographically signed. This allows anyone to forge or modify tokens without detection, making authentication insecure.
Impact#
If exploited, attackers can generate or alter JWT tokens to impersonate users or escalate privileges, bypassing authentication. This can lead to unauthorized access to sensitive data or critical actions in your application.