1. Forum
  2. tqwNet
  3. TQW_GENTECH

  • JsonWebToken open source library has a significant security flaw

    From TechnologyDaily@1337:1/100 to All on Tue Jan 10 19:30:04 2023
    JsonWebToken open source library has a significant security flaw

    Date:
    Tue, 10 Jan 2023 19:19:25 +0000

    Description:
    Hackers could have used flaw to remotely execute malicious code on affected endpoints.

    FULL STORY ======================================================================

    The popular open source project JsonWebToken was carrying a high-severity vulnerability that allowed threat actors to execute malicious code on
    affected endpoints, remotely.

    A report from Palo Alto Networks cybersecurity arm, Unit 42 outlined how the flaw would allow the server to verify a maliciously crafted JSON web token (JWT) request, thus granting the attackers remote code execution (RCE) abilities.

    That, in turn, would allow threat actors to access sensitive information (including identity data ), steal, or modify it. Patch is available

    The flaw is now tracked as CVE-2022-23529, and has been given a severity rate of 7.6/10, marking it as high-severity, and not critical.

    One of the reasons its not been given a higher score is due to the fact that the attackers would first need to compromise the secret management process between an application and a JsonWebToken server.

    Anyone using JsonWebToken package version 8.5.1 or an earlier version is advised to update the JsonWebToken package to version 9.0.0, which comes with a patch for the flaw.

    JsonWebToken is an open source JavaScript package allowing users to verify and/or sign JWTs.

    The tokens are usually used for authorization and authentication, the researchers said, adding that it was developed and maintained by Auth0. Read more

    Sign in with Apple vulnerability could have led to account takeovers


    The love for open source software is showing no signs of slowing down


    These are the best endpoint protection software around

    At press time, the package had more than nine million weekly downloads and more than 20,000 dependents. This package plays a big role in the authentication and authorization functionality for many applications, the researchers said.

    The vulnerability was first discovered in mid-July 2022, with Unit 42s researchers reporting their findings to Auth0 immediately. The authors acknowledged the vulnerability a few weeks later (in August), and finally released a patch on December 21, 2022.

    Auth0 fixed the issue by adding more checks to the secretOrPublicKey parameter, which prevents it from parsing malicious objects. Check out the best firewalls right now

    Via: BleepingComputer



    ======================================================================
    Link to news story: https://www.techradar.com/news/jsonwebtoken-open-source-library-has-a-signific ant-security-flaw


    --- Mystic BBS v1.12 A47 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)