Technology NewsSevere Security Flaw Found in "jsonwebtoken" Library Used by...

Severe Security Flaw Found in “jsonwebtoken” Library Used by 22,000+ Projects

-


Jan 10, 2023Ravie LakshmananSoftware Security / Supply Chain

Severe Security Flaw Found in “jsonwebtoken” Library Used by 22,000+ Projects

A high-severity security flaw has been disclosed in the open source jsonwebtoken (JWT) library that, if successfully exploited, could lead to remote code execution on a target server.

“By exploiting this vulnerability, attackers could achieve remote code execution (RCE) on a server verifying a maliciously crafted JSON web token (JWT) request,” Palo Alto Networks Unit 42 researcher Artur Oleyarsh said in a Monday report.

Tracked as CVE-2022-23529 (CVSS score: 7.6), the issue impacts all versions of the library, including and below 8.5.1, and has been addressed in version 9.0.0 shipped on December 21, 2022. The flaw was reported by the cybersecurity company on July 13, 2022.

jsonwebtoken, which is developed and maintained by Okta’s Auth0, is a JavaScript module that allows users to decode, verify, and generate JSON web tokens as a means of securely transmitting information between two parties for authorization and authentication. It has over 10 million weekly downloads on the npm software registry and is used by more than 22,000 projects.

Therefore, the ability to run malicious code on a server could break confidentiality and integrity guarantees, potentially enabling a bad actor to overwrite arbitrary files on the host and perform any action of their choosing using a poisoned secret key.

high-severity security flaw

“With that being said, in order to exploit the vulnerability described in this post and control the secretOrPublicKey value, an attacker will need to exploit a flaw within the secret management process,” Oleyarsh explained.

As open source software increasingly emerges as a lucrative initial access pathway for threat actors to stage supply chain attacks, it’s crucial that vulnerabilities in such tools are proactively identified, mitigated, and patched by downstream users.

Making matters worse is the fact that cybercriminals have become much faster at exploiting newly revealed flaws, drastically shrinking the time between a patch release and exploit availability. According to Microsoft, it only takes 14 days on average for an exploit to be detected in the wild after public disclosure of a bug.

To combat this problem of vulnerability discovery, Google, last month, announced the release of OSV-Scanner, an open source utility that aims to identify all transitive dependencies of a project and highlight relevant shortcomings impacting it.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.



LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest news

New OPPO Reno8 T and Reno8 T 5G, 100 megapixel camera and 120 Hz screen

OPPO has launched a new series within its Reno line: this is the Reno8 T and Reno8 T...

ஒரு செயற்கை இரசாயன கடிகாரம் சர்க்காடியன் தாளங்களின் மர்மமான சொத்தை எவ்வாறு பின்பற்றுகிறது

சர்க்காடியன் தாளங்கள் ஒரு தனித்துவமான பண்புகளைக் கொண்டுள்ளன, இதில் வெப்பநிலை ஏற்ற இறக்கங்கள் இருந்தபோதிலும் சுழற்சி காலம் மாறாமல் இருக்கும், பல உயிர்வேதியியல் எதிர்வினைகளின்...

ChatGPT – OpenAI plans to introduce an optional subscription for users of its tool

ChatGPT is one of the most interesting technological curiosities of recent months. Much has already been written...

New Russian-Backed Gamaredon’s Spyware Variants Targeting Ukrainian Authorities

Feb 02, 2023Ravie LakshmananCyber Risk / Threat Detection The State Cyber Protection Centre (SCPC) of Ukraine has called out...

New OPPO Reno8 T and Reno8 T 5G, 100 megapixel camera and 120 Hz screen

OPPO has launched a new series within its Reno line: this is the Reno8 T and Reno8 T...

ChatGPT – OpenAI plans to introduce an optional subscription for users of its tool

ChatGPT is one of the most interesting technological curiosities of recent months. Much has already been written...

Must read

New OPPO Reno8 T and Reno8 T 5G, 100 megapixel camera and 120 Hz screen

OPPO has launched a new series within its...

Where To Watch Spree – Is it on Netflix or Amazon?

Spray is a 2020 satirical horror thriller film...