A vulnerability in the JsonWebToken open source JavaScript package could be exploited to achieve remote code execution (RCE), Palo Alto Networks' Unit 42 warns.
A vulnerability in the JsonWebToken open source JavaScript package could be exploited to achieve remote code execution (RCE), Palo Alto Networks’ Unit 42 warns.
Maintained by the Auth0 team and designed to help with the verification and signing of web token (JWT) requests, JsonWebToken is used in many applications for authentication and authorization, and has more than 9 million weekly downloads.
Tracked as CVE-2022-23529 (CVSS score of 7.6), the vulnerability was found in the package’s verify function and can be exploited using a maliciously crafted JSON JWT request.
During the authentication process, the user-supplied credentials are sent to the authentication endpoint, which validates the information and issues a JWT signed with a secret key.
Moving forth, when a user requests access to resources, the application sends a request containing a JWT in the authorization header, which is verified using the secret key.
The identified vulnerability, Unit 42 researchers explain, is related to JsonWebToken’s verify function and exists because no check exists to verify that one of the parameters the method receives is a string or a buffer.
When no allowed algorithms are provided, the package automatically assigns the values within a file provided by the vulnerable parameter, and blindly uses one of its methods.
Because of that, an attacker can abuse the parameter to supply a malicious object to the verify function, override its method, and achieve arbitrary file write. The same technique can also be used to achieve remote code execution (RCE), with a slightly modified payload, the researchers say.
Because successful exploitation of the vulnerability requires for the attacker to exploit a flaw within the secret management process, the severity score of the issue has been downgraded.
CVE-2022-23529 impacts JsonWebToken version 8.5.1 and earlier and has been addressed with the release of JsonWebToken version 9.0.0. Users are advised to update to the patched version as soon as possible.
“Security awareness is crucial when using open source software. Reviewing commonly used security open source implementations is necessary for maintaining their dependability, and it’s something the open source community can take part in,” Unit 42 concludes.
By Ionut Arghire on Tue, 10 Jan 2023 14:11:40 +0000
Original link