Multiple vulnerabilities in node-jsonwebtoken



Published: 2023-01-16 | Updated: 2023-01-31
Risk High
Patch available YES
Number of vulnerabilities 4
CVE-ID CVE-2022-23539
CVE-2022-23541
CVE-2022-23540
CVE-2022-23529
CWE-ID CWE-327
CWE-20
Exploitation vector Network
Public exploit Public exploit code for vulnerability #3 is available.
Public exploit code for vulnerability #4 is available.
Vulnerable software
Subscribe
node-jsonwebtoken
Web applications / JS libraries

Vendor Auth0

Security Bulletin

This security bulletin contains information about 4 vulnerabilities.

1) Use of a broken or risky cryptographic algorithm

EUVDB-ID: #VU71180

Risk: Medium

CVSSv3.1: 7.1 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-23539

CWE-ID: CWE-327 - Use of a Broken or Risky Cryptographic Algorithm

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to insecure key types are used for signature verification. A remote user can enable legacy keys usage.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

node-jsonwebtoken: 8.0.0 - 8.5.1

External links

http://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-8cf7-32gw-wr33
http://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Use of a broken or risky cryptographic algorithm

EUVDB-ID: #VU71181

Risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-23541

CWE-ID: CWE-327 - Use of a Broken or Risky Cryptographic Algorithm

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to insecure implementation of key retrieval function. A remote user attacker can cause successful validation of forged tokens.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

node-jsonwebtoken: 8.0.0 - 8.5.1

External links

http://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-hjrf-2m68-5959
http://github.com/auth0/node-jsonwebtoken/releases/tag/v9.0.0
http://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Use of a broken or risky cryptographic algorithm

EUVDB-ID: #VU71182

Risk: High

CVSSv3.1: 8.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2022-23540

CWE-ID: CWE-327 - Use of a Broken or Risky Cryptographic Algorithm

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to insecure default algorithm in jwt.verify(). A remote attacker can cause signature validation bypass.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

node-jsonwebtoken: 8.0.0 - 8.5.1

External links

http://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-qwph-4952-7xr6
http://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

4) Input validation error

EUVDB-ID: #VU71185

Risk: High

CVSSv3.1: 8.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2022-23529

CWE-ID: CWE-20 - Improper input validation

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to execute arbitrary code on the system.

The vulnerability exists due to insufficient validation of user-supplied input in jwt.verify function. A remote attacker can pass specially crafted input to the application and execute arbitrary code on the target system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

node-jsonwebtoken: 8.0.0 - 8.5.1

External links

http://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-27h2-hvpr-p74q
http://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.



###SIDEBAR###