Default JWT Signing Key Allows Unauthorized Access to ONLYOFFICE Document Editor

Default JWT Signing Key Allows Unauthorized Access to ONLYOFFICE Document Editor

CVE-2021-43445 · CRITICAL Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

ONLYOFFICE all versions as of 2021-11-08 is affected by Incorrect Access Control. An attacker can authenticate with the web socket service of the ONLYOFFICE document editor which is protected by JWT auth by using a default JWT signing key.

Learn more about our Cis Benchmark Audit For Microsoft Office.