Popular open source(Opens in a new window)The JsonWebToken project contained a critical vulnerability that allowed threat agents to remotely execute malicious codes on the affected endpoints.
Palo Alto Networks cybersecurity arm Unit 42 reported how the flaw would enable a server to validate malicious JSON code (JWT), giving attackers Remote Code Execution capability (RCE).
This would allow threat actors to gain sensitive information (including Identity data) or stolen or modified.
You can correct this
The flaw is being tracked as CVE-2022–23529 and has been given a severity rating 7.6/10, making the flaw “severe” instead of “critical.”
It was not awarded a higher score because attackers would need to crack the secret administration process between the application’s JsonWebToken servers.
Anyone who is using JsonWebToken version 8.5.1 or older is advised to upgrade the JsonWebToken Package to version 9.0.0. This comes with a bug fix.
Researchers stated that the tokens are used commonly for authorization and authentication. They were also maintained by Auth0.
The bundle was downloaded more than nine million times per week, and has more than 20,000 dependents at the time it was published. The researchers stated that this package plays an important role in the authorization and authentication function of many applications.
The vulnerability was discovered by Unit 42 researchers in mid-July 2022. They reported their findings to Auth0 right away. The vulnerability was acknowledged by the authors a few weeks later, in August, and a patch was released on December 21, 2022.
Auth0 resolved the problem by adding additional checks to the secretOrPublicKey parameter. This prevents malicious objects from being parsed.
via: PC(Opens in a new window)
[Denial of responsibility! reporterbyte.com is an automatic aggregator of the all world’s media. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials, please contact us by email – reporterbyte.com The content will be deleted within 24 hours.]