firebase/php-jwt@6.11.1 Vulnerability issue

[maheshv546]

Detailed paths
Introduced through: voya/drupal-platform@0.0.0 › drupal/apigee_edge@3.0.11 › apigee/apigee-client-php@3.0.9 › firebase/php-jwt@6.11.1

Security information
Factors contributing to the scoring:

• Snyk: CVSS v4.0 6.3 - Medium Severity | CVSS v3.1 5.6 - Medium Severity

• NVD: Not available. NVD has not yet published its analysis.

Overview
Affected versions of this package are vulnerable to Inadequate Encryption Strength due to the HMAC and RSA key lengths used in the JSON Web Signature (JWS) implementation not meeting recommended security standards.

Also need confirmation on this

• Is it using HS256 with a short or guessable secret?
• Is it configured to allow "none" algorithm?
• Is it using RSA or ECDSA with a strong key?
• All JWTs are issued/consumed only by trusted and secure parties?
• Upstream packages configure JWT securely.

[divya-intelli]

Thank you @maheshv546 for reporting the security vulnerability in the firebase/php-jwt package.
We will investigate this issue and will share further details soon.

[divya-intelli]

Hi @maheshv546 ,
We found that this issue is currently under discussion in the firebase/php-jwt repository (firebase/php-jwt#605). We plan to update the firebase/php-jwt version within apigee-client-php once the new version containing the fix is released.

[maheshv546]

Thanks for the update @divya-intell, please update us when the new version with the fix is released.