[ad_1]
The maintainers of the popular JsonWebToken package that is used for signing and verifying JSON web tokens have fixed a serious vulnerability in the open source project that could enable an attacker to gain remote code execution on a target server in some limited circumstances.
The vulnerability (CVE-2022-23539) affects JsonWebToken versions 8.5.1 and earlier and is fixed in version 9.0.0. Researchers with Palo Alto Networks’ discovered the flaw, which is the result of insecure input validation in a specific function in the package. JsonWebToken is used widely and has more than 20,000 dependent packages.
The JWT standard is designed to allow secure transmission of information by encoding and signing JSON data. That data typically includes information about a specific user and JWTs often are used for authentication. Tokens can be signed with public/private key pairs or a private secret. The bug that the Palo Alto researchers discovered enables an attacker to abuse the verify function in JsonWebToken to gain remote code execution.
“By executing the verify function with a malicious object, we succeeded in writing an arbitrary file on the hosting machine.”
“One of the methods provided by the JsonWebToken package is verify. The verify method receives three parameters: token, secretOrPublicKey and options. This function verifies the validity of the JWT and returns the decoded payload part. According to the documentation, secretOrPublicKey is a string or buffer,” Artur Oleyash of Palo Alto said in a post.
“When no allowed algorithms are provided within the options algorithms list, the values within the privacy enhanced mail (PEM) file, which is provided by the secretOrPublicKey parameter, will be assigned instead. This presents a problem: There is no check in place in order to determine that secretOrPublicKey is indeed a string or a buffer (per the documentation), and it’s blindly using its toString() method. By executing the verify function with a malicious object, we succeeded in writing an arbitrary file on the hosting machine.”
Auth0, which develops and maintains the JsonWebToken project, released a fixed version of it on Dec. 22. That update also fixes three other vulnerabilities, including one that could allow an attacker to validate a forged token.
“There is a possibility of using a different algorithm and key combination in verification than the one that was used to sign the tokens. Specifically, tokens signed with an asymmetric public key could be verified with a symmetric HS256 algorithm. This can lead to successful validation of forged tokens,” the Auth0 advisory says.
[ad_2]
Source link