I am checking the Sonarqube 8.6 release notes and it contains the following ticket:
Fix a vulnerability in the JWT implementation
JWT implementation is vulnerable to the “none” algorithm attack.
Moreover, I checked the commit that fix the related ticket, SSF-134 Fail to parse jwt using ‘none’ algorithm, and it doesn’t seem that the vulnerability was present, the change seems to fix just a crash and not a security vulnerability. And the commit message does not mention the security vulnerability either.
So my question is:
Are Sonarqube < 8.6 or < 7.9.6 really vulnerable to JWT “none” algorithm attack? Or is this a mistake in the Jira ticket description?