A new high-severity vulnerability has been discovered in the popular open-source JavaScript package JsonWebToken.
Exploiting the vulnerability could allow an attacker to perform remote code execution (RCE) on the server and validate maliciously crafted JSON Web Token (JWT) requests, Palo Alto Networks said. explained on Monday. Recommendation.
From a technical perspective, JsonWebToken, developed and maintained by Auth0, allows developers to validate/sign JWTs and is primarily used for authorization and authentication purposes.
At the time of writing, this package has over 9 million weekly downloads and over 20,000 dependent projects. That’s why Palo Alto Networks security researcher Artur Oleyarsh said the team was quick to warn. Auth0 When we first discovered the vulnerability (tracking CVE-2022-23529) in July 2022.
“Attacks against JWTs typically involve various forgery techniques that exploit buggy JWT implementations,” wrote Oleyarsh.
“This type of attack has serious consequences because, in most cases, a successful attack allows the attacker to bypass authentication and authorization mechanisms to access sensitive information or steal or modify data. “
at the same time, Palo Alto Networks The researchers found that to exploit the vulnerability, an attacker would also need to exploit flaws within the secret management process. Due to the complexity of the vulnerability, Palo Alto Networks suggested his CVSS score of 7.6.
According to security experts, the Auth0 engineering team provided a patch for this vulnerability in December 2022.
“We would like to thank the Auth0 team for handling the disclosure process professionally and providing patches for the reported vulnerabilities,” added Oleyarsh.
More generally, cybersecurity experts say security awareness is important when using open source software.
“A review of commonly used security open source implementations is necessary to maintain their credibility and is something the open source community can participate in.”
the vulnerability is right there huge increase With malicious activity targeting upstream open source code repositories in the final months of 2022.
