JsonWebToken open source library has a significant security flaw By Mobile Malls January 10, 2023 0 327 views The favored open supply (opens in new tab) challenge JsonWebToken was carrying a high-severity vulnerability that allowed menace actors to execute malicious code on affected endpoints, remotely.A report from Palo Alto Networks’ cybersecurity arm, Unit 42 outlined how the flaw would enable the server to confirm a maliciously crafted JSON net token (JWT) request, thus granting the attackers distant code execution (RCE) talents. That, in flip, would enable menace actors to entry delicate info (together with id knowledge), steal, or modify it.Patch is out thereThe flaw is now tracked as CVE-2022-23529, and has been given a severity charge of seven.6/10, marking it as “high-severity”, and never “essential”. One of many causes it’s not been given a better rating is because of the truth that the attackers would first have to compromise the key administration course of between an software and a JsonWebToken server.Anybody utilizing JsonWebToken package deal model 8.5.1 or an earlier model is suggested to replace the JsonWebToken package deal to model 9.0.0, which comes with a patch for the flaw. JsonWebToken is an open supply JavaScript package deal permitting customers to confirm and/or signal JWTs. The tokens are often used for authorization and authentication, the researchers mentioned, including that it was developed and maintained by Auth0.At press time, the package deal had greater than 9 million weekly downloads and greater than 20,000 dependents. “This package deal performs an enormous function within the authentication and authorization performance for a lot of purposes,” the researchers mentioned.The vulnerability was first found in mid-July 2022, with Unit 42’s researchers reporting their findings to Auth0 instantly. The authors acknowledged the vulnerability just a few weeks later (in August), and eventually launched a patch on December 21, 2022. Auth0 mounted the problem by including extra checks to the secretOrPublicKey parameter, which prevents it from parsing malicious objects.Take a look at the perfect firewalls (opens in new tab) proper nowBy way of: BleepingComputer (opens in new tab)Share this:Click to share on Twitter (Opens in new window)Click to share on Facebook (Opens in new window)MoreClick to print (Opens in new window)Click to email a link to a friend (Opens in new window)Click to share on Reddit (Opens in new window)Click to share on LinkedIn (Opens in new window)Click to share on Tumblr (Opens in new window)Click to share on Pinterest (Opens in new window)Click to share on Pocket (Opens in new window)Click to share on Telegram (Opens in new window)Click to share on WhatsApp (Opens in new window)