Query
Relevant PR: github/codeql#5597
CVEs Found using this query:
Other CVE ID(s) and information
https://i.blackhat.com/USA-19/Thursday/us-19-Jaiswal-Preventing-Authentication-Bypass-A-Tale-Of-Two-Researchers.pdf
https://www.zofrex.com/blog/2020/10/20/alg-none-jwt-nhs-contact-tracing-app/
GHSA-5m5q-3qw2-3xf3
Report
A JWT consists of three parts: header, payload, and signature.
The io.jsonwebtoken.jjwt library is one of many libraries used for working with JWTs.
It offers different methods for parsing tokens like parse, parseClaimsJws, and parsePlaintextJws.
The last two correctly verify that the JWT is properly signed.
This is done by computing the signature of the combination of header and payload and
comparing the locally computed signature with the signature part of the JWT.
Therefore it is necessary to provide the JwtParser with a key that is used for signature validation.
Unfortunately the parse method accepts a JWT whose signature is empty although a signing key has been set for the parser.
This means that an attacker can create arbitrary JWTs that will be accepted.
This is a high impact query as being able to forge token often leads to an auth bypass.
See also the links at the top.
Query
Relevant PR: github/codeql#5597
CVEs Found using this query:
GHSA-f65w-6xw8-6734
GHSA-6g3c-2mh5-7q6x
CVE assigned, fix is being worked on, but fix is not yet published.
GHSA-hj36-84cp-29pr
Other CVE ID(s) and information
https://i.blackhat.com/USA-19/Thursday/us-19-Jaiswal-Preventing-Authentication-Bypass-A-Tale-Of-Two-Researchers.pdf
https://www.zofrex.com/blog/2020/10/20/alg-none-jwt-nhs-contact-tracing-app/
GHSA-5m5q-3qw2-3xf3
Report
A JWT consists of three parts: header, payload, and signature.
The
io.jsonwebtoken.jjwtlibrary is one of many libraries used for working with JWTs.It offers different methods for parsing tokens like
parse,parseClaimsJws, andparsePlaintextJws.The last two correctly verify that the JWT is properly signed.
This is done by computing the signature of the combination of header and payload and
comparing the locally computed signature with the signature part of the JWT.
Therefore it is necessary to provide the
JwtParserwith a key that is used for signature validation.Unfortunately the
parsemethod accepts a JWT whose signature is empty although a signing key has been set for the parser.This means that an attacker can create arbitrary JWTs that will be accepted.
This is a high impact query as being able to forge token often leads to an auth bypass.
See also the links at the top.