Critical security flaw found in ‘jsonwebtoken’ library used by over 22,000 projects



January 10, 2023Rabbi LakshmananSoftware Security / Supply Chain

high-severity security flaws

A serious security flaw was discovered in the open source jsonwebtoken (JWT) library. Successful exploitation could lead to remote code execution on the target server.

Artur Oleyarsh, a researcher at Palo Alto Networks Unit 42, said in a report on Monday, “By exploiting this vulnerability, an attacker could perform remote code execution (RCE) on a server, creating a malicious may validate a JSON Web Token (JWT) request that has been encrypted.

tracked as CVE-2022-23529 (CVSS score: 7.6), this issue affects all versions of the library, including 8.5.1 and earlier, and is addressed in version 9.0.0, which shipped on December 21, 2022. The flaw was reported by a cybersecurity firm on July 13th. , 2022.

Developed and maintained by Okta’s Auth0, jsonwebtoken is a JavaScript that allows users to decode, validate, and generate JSON Web Tokens as a means of securely transmitting information between two parties for authorization and authentication. Module. Over 10 million downloads every week on the npm software registry and used in over 22,000 projects.

Therefore, the ability to execute malicious code on a server violates confidentiality and integrity guarantees, allowing a malicious person to overwrite arbitrary files on the host and use a compromised private key to arbitrarily You may be able to take action.

high-severity security flaws

“Having said that, to exploit the vulnerability described in this post to control the secretOrPublicKey value, an attacker would have to exploit a flaw within the secret management process,” Oleyarsh explained. increase.

As open source software increasingly emerges as a lucrative initial access vector for threat actors to mount supply chain attacks, vulnerabilities in such tools need to be proactively identified, mitigated, and patched by downstream users. It is important to apply

To make matters worse, cybercriminals have become much faster at exploiting newly revealed flaws, and the time between patch release and exploitation has been significantly reduced. According to Microsoft, it takes an average of only 14 days from the time a bug is made public until the exploit is actually detected.

To address this vulnerability discovery problem, Google last month launched OSV -Announced the release of Scanner.

Did you find this article interesting?Please follow us twitter and LinkedIn to read more exclusive content we post.


Source link

What do you think?

Leave a Reply

Your email address will not be published. Required fields are marked *

GIPHY App Key not set. Please check settings

    c1 2479365 700

    Discuss IBEX as Thailand’s Digital Agency

    Davinci Social MedRes 013

    Seamless User Experience for Davinci Motor DC100 at CES 2023 Debut