Palo Alto Networks’ Unit 42 alerts that a flaw in the free and open source JsonWebToken JavaScript module could be used to execute code remotely (RCE).
JsonWebToken, which is supported by the Auth0 team and has more than 9 million weekly downloads, is used in many apps for authentication and authorisation. It was created to assist with the verification and signing of web token (JWT) requests.
The vulnerability, identified as CVE-2022-23529 (CVSS 7.6), was discovered in the package’s verify function and can be exploited using a specially constructed JSON JWT request. The user-supplied credentials are submitted to the authentication endpoint during the authentication process, which verifies the data and generates a JWT signed with a secret key. The application will now send a request with a JWT in the authorization header that is verified using the secret key whenever a user asks access to resources.
The found flaw, according to Unit 42 researchers, relates to the verify function of JsonWebToken and is caused by the lack of a check to ensure that one of the parameters the method gets is a string or a buffer. When no approved algorithms are specified, the package assigns the values in a file supplied by the vulnerable parameter automatically and utilises one of its techniques in blind mode.
The issue’s severity score has been reduced since the attacker must successfully exploit a defect in the secret management procedure in order to exploit the vulnerability. The vulnerability CVE-2022-23529 affects JsonWebToken versions 8.5.1 and earlier and has been fixed in version 9.0.0. Users are encouraged to upgrade as soon as possible to the patched version.
