jsonwebtoken's insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC #18

New Issue

2022-12-23T04:43:27Z

argoyle commented

2022-12-23 04:43:27 +00:00

(Migrated from gitlab.com)

⚠️ dependabot-gitlab has detected security vulnerability for jsonwebtoken in path: /, manifest_file: /package.json but was unable to update it! ⚠️

https://github.com/advisories/GHSA-hjrf-2m68-5959

Package	Severity	Affected versions	Patched versions	IDs
jsonwebtoken (NPM)	MODERATE	<= 8.5.1	9.0.0	`GHSA-hjrf-2m68-5959`,`CVE-2022-23541`

Description

Overview

Versions <=8.5.1 of jsonwebtoken library can be misconfigured so that passing a poorly implemented key retrieval function (referring to the secretOrPublicKey argument from the readme link) will result in incorrect verification of tokens. There is a possibility of using a different algorithm and key combination in verification than the one that was used to sign the tokens. Specifically, tokens signed with an asymmetric public key could be verified with a symmetric HS256 algorithm. This can lead to successful validation of forged tokens.

Am I affected?

You will be affected if your application is supporting usage of both symmetric key and asymmetric key in jwt.verify() implementation with the same key retrieval function.

How do I fix it?

Update to version 9.0.0

Will the fix impact my users?

There is no impact for end users

References

⚠️ `dependabot-gitlab` has detected security vulnerability for `jsonwebtoken` in path: `/`, manifest_file: `/package.json` but was unable to update it! ⚠️ * https://github.com/advisories/GHSA-hjrf-2m68-5959 | Package | Severity | Affected versions | Patched versions | IDs | |--------------------|----------|-------------------|------------------|----------------------------------------| | jsonwebtoken (NPM) | MODERATE | <= 8.5.1 | 9.0.0 | `GHSA-hjrf-2m68-5959`,`CVE-2022-23541` | # Description # Overview Versions `<=8.5.1` of `jsonwebtoken` library can be misconfigured so that passing a poorly implemented key retrieval function (referring to the `secretOrPublicKey` argument from the [readme link](https://github.com/auth0/node-jsonwebtoken#jwtverifytoken-secretorpublickey-options-callback)) will result in incorrect verification of tokens. There is a possibility of using a different algorithm and key combination in verification than the one that was used to sign the tokens. Specifically, tokens signed with an asymmetric public key could be verified with a symmetric HS256 algorithm. This can lead to successful validation of forged tokens. # Am I affected? You will be affected if your application is supporting usage of both symmetric key and asymmetric key in jwt.verify() implementation with the same key retrieval function. # How do I fix it? Update to version 9.0.0 # Will the fix impact my users? There is no impact for end users # References * https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-hjrf-2m68-5959 * https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3 * https://nvd.nist.gov/vuln/detail/CVE-2022-23541 * https://github.com/auth0/node-jsonwebtoken/releases/tag/v9.0.0 * https://github.com/advisories/GHSA-hjrf-2m68-5959

argoyle (Migrated from gitlab.com) closed this issue

2023-06-02 14:10:09 +00:00

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: dancefinder/dancefinder-app#18