Note Mark is an open-source note-taking application. Prior to 0.19.4, no minimum length or entropy is enforced on the JWT_SECRET configuration value. The application accepts any base64-decodable secret regardless of size, including secrets as short as 1 byte. This vulnerability is fixed in 0.19.4.
The application accepts any JWT_SECRET value that is decodable from base64, regardless of its size — including single-byte values. A short or predictable secret drastically reduces the security of JWT token signatures (CWE-326: inadequate cryptographic strength). Lack of configuration integrity verification (CWE-345) means the application does not check whether the provided secret meets minimum security requirements. An attacker can use brute-force methods to guess a short secret and forge any JWT token.
An attacker can forge a JWT token and impersonate any application user, including an administrator, gaining unauthorized access to system data and functions.
The Note Mark application should be updated to version 0.19.4, which enforces minimum length and entropy of the JWT_SECRET value. Additionally, it is recommended to immediately change JWT_SECRET to a value with high entropy and appropriate length, and to invalidate existing user sessions.
Note Mark in versions earlier than 0.19.4
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N