Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-31580: A certificate verification issue when get the public key used to verify JWT. · Issue #369 · networknt/light-oauth2

light-oauth2 before version 2.1.27 obtains the public key without any verification. This could allow attackers to authenticate to the application with a crafted JWT token.

CVE
#web#js#git#java#oauth#auth

Hi, we are a research group to help developers build secure applications. We designed a cryptographic misuse detector on Java language(Our main concern is the secure implementation and use of Json Web Token). We found your great public repository (i.e., light-oauth2) from Github, and a security issue detected by our detector are shown in the following. The specific security issues we found are as follows:
(1) Location: Package: com.networknt.oauth.key.handler; Class: Oauth2KeysGetHandler.class
Security issue: not verify the public key certificate used to validate JWT signature.

We detected that the handleRequest method get public key from the certificate without any verification. An attacker may use the private key corresponding to a revoked or expired or self-signed public key certificate to forge a JWT. We recommend to verify the validity of certificates and certificate chains to improve system security.

We wish the above security issues cloud truly help you to build a secure application. If you have any concern or suggestion, please feel free to contact us, we are looking forwart to your reply. Thanks.

Related news

GHSA-mx47-h5fv-ghwh: light-oauth2 missing public key verification

light-oauth2 before version 2.1.27 obtains the public key without any verification. This could allow attackers to authenticate to the application with a crafted JWT token.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907