Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-27h2-hvpr-p74q: jsonwebtoken has insecure input validation in jwt.verify function

Overview

For versions <=8.5.1 of jsonwebtoken library, if a malicious actor has the ability to modify the key retrieval parameter (referring to the secretOrPublicKey argument from the readme link) of the jwt.verify() function, they can gain remote code execution (RCE).

Am I affected?

You are affected only if you allow untrusted entities to modify the key retrieval parameter of the jwt.verify() on a host that you control.

How do I fix it?

Update to version 9.0.0

Will the fix impact my users?

The fix has no impact on end users.

Credits

Palo Alto Networks

ghsa
#web#js#git#rce#auth

Overview

For versions <=8.5.1 of jsonwebtoken library, if a malicious actor has the ability to modify the key retrieval parameter (referring to the secretOrPublicKey argument from the readme link) of the jwt.verify() function, they can gain remote code execution (RCE).

Am I affected?

You are affected only if you allow untrusted entities to modify the key retrieval parameter of the jwt.verify() on a host that you control.

How do I fix it?

Update to version 9.0.0

Will the fix impact my users?

The fix has no impact on end users.

Credits

Palo Alto Networks

References

  • GHSA-27h2-hvpr-p74q
  • https://nvd.nist.gov/vuln/detail/CVE-2022-23529
  • auth0/node-jsonwebtoken@e1fa9dc

Related news

Critical Security Flaw Found in "jsonwebtoken" Library Used by 22,000+ Projects

A high-severity security flaw has been disclosed in the open source jsonwebtoken (JWT) library that, if successfully exploited, could lead to remote code execution on a target server. "By exploiting this vulnerability, attackers could achieve remote code execution (RCE) on a server verifying a maliciously crafted JSON web token (JWT) request," Palo Alto Networks Unit 42 researcher Artur Oleyarsh

JsonWebToken Security Bug Opens Servers to RCE

The JsonWebToken package plays a big role in the authentication and authorization functionality for many applications.

CVE-2022-23529: Insecure input validation in jwt.verify function

node-jsonwebtoken is a JsonWebToken implementation for node.js. For versions `<= 8.5.1` of `jsonwebtoken` library, if a malicious actor has the ability to modify the key retrieval parameter (referring to the `secretOrPublicKey` argument from the readme link of the `jwt.verify()` function, they can write arbitrary files on the host machine. Users are affected only if untrusted entities are allowed to modify the key retrieval parameter of the `jwt.verify()` on a host that you control. This issue has been fixed, please update to version 9.0.0.

ghsa: Latest News

GHSA-8gc2-vq6m-rwjw: Amazon Redshift Python Connector vulnerable to SQL Injection