JsonWebToken open source library has a significant security flaw
The favored open supply (opens in new tab) challenge JsonWebToken was carrying a high-severity vulnerability that allowed menace actors to execute malicious code on affected endpoints, remotely.
A report from Palo Alto Networks’ cybersecurity arm, Unit 42 outlined how the flaw would enable the server to confirm a maliciously crafted JSON net token (JWT) request, thus granting the attackers distant code execution (RCE) talents.
That, in flip, would enable menace actors to entry delicate info (together with id knowledge), steal, or modify it.
Patch is out there
The flaw is now tracked as CVE-2022-23529, and has been given a severity charge of seven.6/10, marking it as “high-severity”, and never “essential”.
One of many causes it’s not been given a better rating is because of the truth that the attackers would first have to compromise the key administration course of between an software and a JsonWebToken server.
Anybody utilizing JsonWebToken package deal model 8.5.1 or an earlier model is suggested to replace the JsonWebToken package deal to model 9.0.0, which comes with a patch for the flaw.
JsonWebToken is an open supply JavaScript package deal permitting customers to confirm and/or signal JWTs.
The tokens are often used for authorization and authentication, the researchers mentioned, including that it was developed and maintained by Auth0.
At press time, the package deal had greater than 9 million weekly downloads and greater than 20,000 dependents. “This package deal performs an enormous function within the authentication and authorization performance for a lot of purposes,” the researchers mentioned.
The vulnerability was first found in mid-July 2022, with Unit 42’s researchers reporting their findings to Auth0 instantly. The authors acknowledged the vulnerability just a few weeks later (in August), and eventually launched a patch on December 21, 2022.
Auth0 mounted the problem by including extra checks to the secretOrPublicKey parameter, which prevents it from parsing malicious objects.
- Take a look at the perfect firewalls (opens in new tab) proper now
By way of: BleepingComputer (opens in new tab)