JsonWebToken open source library has a significant security flaw
High-severity flaw was fixed in late December last year, but users still need to beware.
The popular open source project JsonWebToken was carrying a high-severity vulnerability that allowed threat actors to execute malicious code on affected endpoints, remotely.
A report from Palo Alto Networks’ cybersecurity arm, Unit 42 outlined how the flaw would allow the server to verify a maliciously crafted JSON web token (JWT) request, thus granting the attackers remote code execution (RCE) abilities.
That, in turn, would allow threat actors to access sensitive information (including identity data), steal, or modify it.
Patch is available
The flaw is now tracked as CVE-2022-23529, and has been given a severity rate of 7.6/10, marking it as “high-severity”, and not “critical”.
One of the reasons it’s not been given a higher score is due to the fact that the attackers would first need to compromise the secret management process between an application and a JsonWebToken server.
Anyone using JsonWebToken package version 8.5.1 or an earlier version is advised to update the JsonWebToken package to version 9.0.0, which comes with a patch for the flaw.
JsonWebToken is an open source JavaScript package allowing users to verify and/or sign JWTs.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
The tokens are usually used for authorization and authentication, the researchers said, adding that it was developed and maintained by Auth0.
At press time, the package had more than nine million weekly downloads and more than 20,000 dependents. “This package plays a big role in the authentication and authorization functionality for many applications,” the researchers said.
The vulnerability was first discovered in mid-July 2022, with Unit 42’s researchers reporting their findings to Auth0 immediately. The authors acknowledged the vulnerability a few weeks later (in August), and finally released a patch on December 21, 2022.
Auth0 fixed the issue by adding more checks to the secretOrPublicKey parameter, which prevents it from parsing malicious objects.
- Check out the best firewalls right now
Via: BleepingComputer
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.