popular open source (opens in a new tab) A high-severity vulnerability exists in the JsonWebToken project that could allow threat actors to remotely execute malicious code on affected endpoints.
A report from Unit 42, Palo Alto Networks’ cybersecurity arm, outlines how the flaw allows servers to validate requests for maliciously crafted JSON Web Tokens (JWTs), granting attackers remote code execution (RCE) capabilities.
In turn, this would allow threat actors to access, steal or modify sensitive information, including identity data.
patch available
The vulnerability is now tracked as CVE-2022-23529 with a severity rating of 7.6/10, marked as “high severity” instead of “critical”.
One of the reasons it didn’t get a higher score is that an attacker first needs to compromise the secrets management process between the application and the JsonWebToken server.
Anyone using JsonWebToken package version 8.5.1 or earlier is advised to update the JsonWebToken package to version 9.0.0, which contains the patch for this defect.
JsonWebToken is an open source JavaScript package that allows users to authenticate and/or sign JWTs.
These tokens are commonly used for authorization and authentication, the researchers said, adding that it was developed and maintained by Auth0.
As of press time, the package has more than 9 million downloads per week and more than 20,000 dependants. “This package plays an important role in the authentication and authorization functions of many applications,” the researchers said.
The vulnerability was first discovered in mid-July 2022, and Unit 42 researchers immediately reported their findings to Auth0. The author acknowledged the vulnerability a few weeks later (August) and finally released a patch on December 21, 2022.
Auth0 fixed this by adding more checks to the secretOrPublicKey parameter, preventing it from parsing malicious objects.
pass: beep computer (opens in a new tab)
