Query
Relevant PR: github/codeql#5597
CVE ID(s)
https://i.blackhat.com/USA-19/Thursday/us-19-Jaiswal-Preventing-Authentication-Bypass-A-Tale-Of-Two-Researchers.pdf
https://www.zofrex.com/blog/2020/10/20/alg-none-jwt-nhs-contact-tracing-app/
GHSA-5m5q-3qw2-3xf3
Found using this query:
GHSA-f65w-6xw8-6734
GHSA-6g3c-2mh5-7q6x
Report
A JWT consists of three parts: header, payload, and signature.
The io.jsonwebtoken.jjwt library is one of many libraries used for working with JWTs.
It offers different methods for parsing tokens like parse, parseClaimsJws, and parsePlaintextJws.
The last two correctly verify that the JWT is properly signed.
This is done by computing the signature of the combination of header and payload and
comparing the locally computed signature with the signature part of the JWT.
Therefore it is necessary to provide the JwtParser with a key that is used for signature validation.
Unfortunately the parse method accepts a JWT whose signature is empty although a signing key has been set for the parser.
This means that an attacker can create arbitrary JWTs that will be accepted.
This is a high impact query as being able to forge token often leads to an auth bypass.
See also the links at the top.
Result(s)
Provide at least one useful result found by your query, on some revision of a real project.
apache/pulsar#9172
Query
Relevant PR: github/codeql#5597
CVE ID(s)
https://i.blackhat.com/USA-19/Thursday/us-19-Jaiswal-Preventing-Authentication-Bypass-A-Tale-Of-Two-Researchers.pdf
https://www.zofrex.com/blog/2020/10/20/alg-none-jwt-nhs-contact-tracing-app/
GHSA-5m5q-3qw2-3xf3
Found using this query:
GHSA-f65w-6xw8-6734
GHSA-6g3c-2mh5-7q6x
Report
A JWT consists of three parts: header, payload, and signature.
The
io.jsonwebtoken.jjwtlibrary is one of many libraries used for working with JWTs.It offers different methods for parsing tokens like
parse,parseClaimsJws, andparsePlaintextJws.The last two correctly verify that the JWT is properly signed.
This is done by computing the signature of the combination of header and payload and
comparing the locally computed signature with the signature part of the JWT.
Therefore it is necessary to provide the
JwtParserwith a key that is used for signature validation.Unfortunately the
parsemethod accepts a JWT whose signature is empty although a signing key has been set for the parser.This means that an attacker can create arbitrary JWTs that will be accepted.
This is a high impact query as being able to forge token often leads to an auth bypass.
See also the links at the top.
Result(s)
Provide at least one useful result found by your query, on some revision of a real project.
apache/pulsar#9172