JWT (pronounced “jot”) is an open standard that defines a method of transferring information securely by encoding and signing JSON data. How Does the Authentication Process Work? Related Unit 42 TopicsĬVE-2022-23529, remote code execution, open source, cloud Palo Alto Networks customers can identify assets that are running vulnerable versions of the JsonWebToken package with Prisma Cloud, and they can identify the relevant CVE within scan results. This package plays a big role in the authentication and authorization functionality for many applications. Developed and maintained by Auth0, the package had over 9 million weekly downloads at the time of writing, and over 20,000 dependents (according to the JsonWebToken page). JsonWebToken is an open source JavaScript package that allows you to verify/sign JWTs, which are mainly used for authorization and authentication purposes. If you are using JsonWebToken 8.5.1 or an earlier version, we suggest updating to JsonWebToken version 9.0.0, which includes a fix for this vulnerability. This vulnerability requires several prerequisites in order to be exploitable, which makes it less likely for an attacker to use it in the wild. The vulnerability is identified as CVE-2022-23529, rated high severity (CVSS 7.6).īy exploiting this vulnerability, attackers could achieve remote code execution (RCE) on a server verifying a maliciously crafted JSON web token (JWT) request. Unit 42 researchers discovered a new vulnerability in the popular JsonWebToken open source project. We originally mentioned that an attacker needs to have control over the secret manager and decided that there was a practical need to make this even more clear in our language and associated figures. Īfter receiving feedback from the community, we decided to make some clarifications regarding possible exploitation. The update can be read on the Auth0 GitHub. We would also like to thank GitHub for their help. We want to thank Auth0 for their work to address the security issue, as well as the security community for the interest and feedback. Users of jsonwebtoken 8.5.1 and earlier are encouraged to update to the latest version, 9.0.0, which presents safer code that fixes this security flaw and others, and prevents misuse of the package that was presented in this blog. Important security checks were added to the JsonWebToken code to address this issue. We agree that the source of this risk in that case will be in the calling code, and not in the library. In that scenario, if all the prerequisites are met, the issue may be exploitable. The security issue described in this blog remains a concern when the JsonWebToken library is used in an insecure way. ➜ auth0-go-gin-middleware curl -location -request GET ' \ -header 'authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6InVUT0ktNGhrSDBWNU9YUGxKV0xpXyJ9.eyJpc3MiOiJodHRwczov元NpdmEtZGVtby1hcHAudXMuYXV0aDAuY29tLyIsInN1YiI6Inl2N1NDekVueUxTWGdMZ1d3b2pJODZvNk5ZMzh0cmNtQGNsaWVudHMiLCJhdWQiOiJodHRwczov元Byb2R1Y3RzLWFwaS8iLCJpYXQiOjE2NDM0MzM4NTYsImV4cCI6MTY0MzUyMDI1NiwiYXpwIjoieXY3U0N6RW55TFNYZ0xnV3dvakk4Nm82TlkzOHRyY20iLCJndHkiOiJjbGllbnQtY3JlZGVudGlhbHMifQ.After hearing the community's feedback about the prerequisites of the exploitation scenario of the vulnerability, we made the decision to work with Auth0 to retract CVE-2022-23529. Package main import ( "context" "net/http" jwtmiddleware "/auth0/go-jwt-middleware/v2" "/auth0/go-jwt-middleware/v2/validator" "/gin-gonic/gin" "/gwatts/gin-adapter" ) type Product struct
0 Comments
Leave a Reply. |