The popular open source (opens in new tab) project JsonWebToken was carrying a high-severity vulnerability that allowed threat actors to execute malicious code on affected endpoints, remotely.
A report from Palo Alto Networks’ cybersecurity arm, Unit 42 outlined how the flaw would allow the server to verify a maliciously crafted JSON web token (JWT) request, thus granting the attackers remote code execution (RCE) abilities.
That, in turn, would allow threat actors to access sensitive information (including identity data), steal, or modify it.
Patch is available
The flaw is now tracked as CVE-2022-23529, and has been given a severity rate of 7.6/10, marking it as “high-severity”, and not “critical”.
One of the reasons it’s not been given a higher score is due to the fact that the attackers would first need to compromise the secret management process between an application and a JsonWebToken server.
Anyone using JsonWebToken package version 8.5.1 or an earlier version is advised to update the JsonWebToken package to version 9.0.0, which comes with a patch for the flaw.
The tokens are usually used for authorization and authentication, the researchers said, adding that it was developed and maintained by Auth0.
At press time, the package had more than nine million weekly downloads and more than 20,000 dependents. “This package plays a big role in the authentication and authorization functionality for many applications,” the researchers said.
The vulnerability was first discovered in mid-July 2022, with Unit 42’s researchers reporting their findings to Auth0 immediately. The authors acknowledged the vulnerability a few weeks later (in August), and finally released a patch on December 21, 2022.
Auth0 fixed the issue by adding more checks to the secretOrPublicKey parameter, which prevents it from parsing malicious objects.
Via: BleepingComputer (opens in new tab)