CVE-2018-1000025 in Firebase Admin SDK for PHP
Summary
Jerome Gamez Firebase Admin SDK for PHP version from 3.2.0 to 3.8.0 contains a Incorrect Access Control vulnerability in src/Firebase/Auth/IdTokenVerifier.php does not verify for token signature that can result in JWT with any email address and user ID could be forged from an actual token, or from thin air. This attack appear to be exploitable via Attacker would only need to know email address of the victim on most cases.. This vulnerability appears to have been fixed in 3.8.1.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Reservation
01/29/2018
Disclosure
02/09/2018
Status
Confirmed
Entries
VulDB provides additional information and datapoints for this CVE:
| ID | Vulnerability | CWE | Exp | Cou | CVE |
|---|---|---|---|---|---|
| 113071 | Jerome Gamez Firebase Admin SDK for PHP Access Control IdTokenVerifier.php access control | 284 | Not defined | Official fix | CVE-2018-1000025 |