[Nulled] » Information security » Auth0 fixed an RCE vulnerability in the popular open source library JsonWebToken
January 16 2023

Auth0 fixed an RCE vulnerability in the popular open source library

web3 16-01-2023, 12:37 Information security 209

Auth0 fixed an RCE vulnerability in the popular open source library JsonWebToken, which was used in more than 22,000 projects and downloaded more than 36 million times a month on NPM.

JsonWebToken is an open source library used to create, sign and validate JSON web tokens, used in projects involving Microsoft, Twilio, Salesforce, Intuit, Box, IBM, Docusign, Slack, SAP and many others. Developed and maintained by Okta.

The vulnerability is monitored by CVE-2022-23529 and affects versions of JsonWebToken up to 9.0.0. Its successful operation may allow attackers to bypass authentication mechanisms, gain access to confidential information, and steal or modify data.

The vulnerability is not critical and has a CVSS score of 7.6, since it requires an attacker to compromise the process of secret management between the application and the JsonWebToken server, which complicates its use.

CVE-2022-23529 was discovered on July 13, 2022 by Unit 42 Palo Alto Networks resellers as a result of checking the malicious JWS token.

The researchers found that attackers can remotely execute code on servers thanks to the verify() JsonWebToken method, which is used to verify JWT and return decoded information.

In view of the lack of verification of one of the secretOrPublicKey parameters, attackers can send a specially created object to perform arbitrary file recording on the target machine.

At the same time, using the same vulnerability, but with a different payload in the request, you can practically achieve remote code execution.

The Auth0 team confirmed the problem in August 2022 and, after painstaking work to fix it, released a patch with JsonWebToken version 9.0.0 on December 21, 2022.

The fix includes the implementation of additional checks of the defective parameter.

Despite the complexity of practical operation, the vulnerability will pose a serious threat to the supply chain for a long period of time until most projects are upgraded to a secure version.

In addition, given the wide popularity of JsonWebToken and the number of potential targets, the criminal potential and enthusiasm of the attackers certainly should not be underestimated.

Information

Visitors who are in the group Guests they can't download files.
Log in to the site under your login and password or if you are a new user go through the process registrations on the website.

Comments:

This publication has no comments yet. You can be the first!

Information the publication:

  • Author of the publication: web3
  • Date of publication: 16 January 2023 12:37
  • Publication category(s): Information security
  • Number of views of the publication: 209
  • Number of comments to the publication: 0

Related News

15 January 2023
Information security
Synology has eliminated

Synology has eliminated a critical vulnerability in VPN routers

Read more
16 January 2023
Information security
Most Cacti installations

Most Cacti installations on the Internet are not fixed and are vulnerable to a critical RCE error, which is

Read more
16 January 2023
Information security
The first January ICS

The first January ICS fixes came up with a dozen security recommendations from Siemens and Schneider Electric,

Read more
16 January 2023
Information security
Netgear has fixed a

Netgear has fixed a serious vulnerability affecting Wi-Fi routers and advised customers to update the software on

Read more
16 January 2023
Information security
Experts warn of a

Experts warn of a critical vulnerability of the Linux kernel of 10 points on the CVSS scale, which affects SMB

Read more

Information

Users of 🆅🅸🆂🅸🆃🅾🆁 are not allowed to comment this publication.

Site Search

Site Menu


☑ Websites Scripts

Calendar

«    December 2024    »
MonTueWedThuFriSatSun
 1
2345678
9101112131415
16171819202122
23242526272829
3031 

Advertisement

Survey on the website

Evaluate the work of the site
 

Statistics

  • +8 Total articles 6750
  • +16 Comments 4226
  • +35 Users : 6047