Update CVE-2023-51774.yml

Mention that versions 1.16.5 and below are vulnerable. The original advisory was published on 2023-12-22, but version 1.16.4 was published on 2023-12-27. The diffs of versions 1.16.4 and 1.16.5 do not appear to contain any significant changes to the logic which would indicate patching.
rubysec · Mar 2, 2024 · 973ee93 · 973ee93
1 parent b2eb3fe
commit 973ee93
Showing 1 changed file with 4 additions and 3 deletions.
diff --git a/gems/json-jwt/CVE-2023-51774.yml b/gems/json-jwt/CVE-2023-51774.yml
@@ -6,13 +6,14 @@ url: https://github.com/P3ngu1nW/CVE_Request/blob/main/novjson-jwt.md
 title: json-jwt allows bypass of identity checks via a sign/encryption confusion attack
 date: 2024-02-29
 description: |
-  The json-jwt (aka JSON::JWT) gem 1.16.3 for Ruby sometimes allows
+  The json-jwt (aka JSON::JWT) gem versions 1.16.5 and below sometimes allows
   bypass of identity checks via a sign/encryption confusion attack.
   For example, JWE can sometimes be used to bypass JSON::JWT.decode.
-notes: Never patched
+notes: Not patched yet
 related:
   url:
     - https://nvd.nist.gov/vuln/detail/CVE-2023-51774
     - https://github.com/P3ngu1nW/CVE_Request/blob/main/novjson-jwt.md
     - https://github.com/advisories/GHSA-c8v6-786g-vjx6
-# not CVSS number, latest gem version is 1.16.5
+# no CVSS score yet. advisory was published before version 1.16.4 was released.
+# versions 1.16.4 and 1.16.5 do not seem patched.