GHSA-hjrf-2m68-5959
Suggest an improvement- Source
- https://github.com/advisories/GHSA-hjrf-2m68-5959
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-hjrf-2m68-5959/GHSA-hjrf-2m68-5959.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-hjrf-2m68-5959
- Aliases
- Related
- Published
- 2022-12-22T03:33:19Z
- Modified
- 2024-06-24T21:24:06Z
- Severity
-
- 5.0 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L CVSS Calculator
- Summary
- jsonwebtoken's insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC
- Details
-
Overview
Versions
<=8.5.1ofjsonwebtokenlibrary can be misconfigured so that passing a poorly implemented key retrieval function (referring to thesecretOrPublicKeyargument from the readme link) will result in incorrect verification of tokens. There is a possibility of using a different algorithm and key combination in verification than the one that was used to sign the tokens. Specifically, tokens signed with an asymmetric public key could be verified with a symmetric HS256 algorithm. This can lead to successful validation of forged tokens.Am I affected?
You will be affected if your application is supporting usage of both symmetric key and asymmetric key in jwt.verify() implementation with the same key retrieval function.
How do I fix it?
Update to version 9.0.0.
Will the fix impact my users?
There is no impact for end users
- Database specific
{ "nvd_published_at": "2022-12-22T18:15:00Z", "cwe_ids": [ "CWE-1259", "CWE-287" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2022-12-22T03:33:19Z" }- References
-
- https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-hjrf-2m68-5959
- https://nvd.nist.gov/vuln/detail/CVE-2022-23541
- https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3
- https://github.com/auth0/node-jsonwebtoken
- https://github.com/auth0/node-jsonwebtoken/releases/tag/v9.0.0
- https://security.netapp.com/advisory/ntap-20240621-0007
Affected packages
npm / jsonwebtoken
Package
- Name
- jsonwebtoken
- View open source insights on deps.dev
- Purl
- pkg:npm/jsonwebtoken