JsonWebToken open source library has a significant security flaw

>

The popular open source (opens in new tab) project JsonWebToken contained a very serious vulnerability that could allow remote threat actors to execute malicious code on affected endpoints.

A report from Palo Alto Networks’ cybersecurity arm, Unit 42, outlined how the flaw would allow the server to authenticate a maliciously crafted JSON web token (JWT) request, giving the attackers remote code execution (RCE) capabilities.

That, in turn, would allow threat actors to access, steal, or modify sensitive information (including identity data).

Patch is available

The flaw is now tracked as CVE-2022-23529, and has been assigned a severity rating of 7.6/10, marking it as “very severe” and not “critical”.

One of the reasons why it didn’t get a higher score is that the attackers must first compromise the secret management process between an application and a JsonWebToken server.

Anyone using JsonWebToken package version 8.5.1 or earlier is advised to update the JsonWebToken package to version 9.0.0, which ships with a patch for the bug.

JsonWebToken is an open source JavaScript package that allows users to authenticate and/or sign JWTs.

The tokens are mostly used for authorization and authentication, the researchers said, adding that it was developed and maintained by Auth0.

At the time of writing, the package had more than nine million weekly downloads and more than 20,000 dependents. “This package plays a major role in the authentication and authorization functionality for many applications,” the researchers said.

The vulnerability was first discovered in mid-July 2022, with Unit 42 researchers immediately reporting their findings to Auth0. The authors acknowledged the vulnerability a few weeks later (in August) and finally released a patch on December 21, 2022.

Auth0 solved the problem by adding more checks to the secretOrPublicKey parameter that prevented it from parsing malicious objects.

Through: Beeping computer (opens in new tab)

Related Post