CVE-2022-23529: RCE vulnerability discovered in JsonWebToken (JWT) library (Revoked)
This blog is about the CVE-2022-23529: RCE vulnerability discovered in JsonWebToken (JWT) library (Revoked).
Jaydev Ahire
3 min read
Update CVE-2022-23529:
The Common Vulnerabilities and Exposures (CVE) system has recently updated its records with the status of CVE-2022-23529, which has been marked as "REJECTED." This means that the vulnerability has been deemed not to exist and will not be included in the National Vulnerability Database (NVD) search results. The decision to reject this candidate number was made without any external consultation, and the reason stated was that the issue is not a vulnerability. No further notes were provided.
Reference Inputs-
Update: CVE-2022-23529 - REJECTEDCVE has been marked "REJECT" in the CVE List. These CVEs are stored in the NVD, but do not show up in search results.
Description: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The issue is not a vulnerability. Notes: https://nvd.nist.gov/vuln/detail/CVE-2022-23529
Background CVE-2022-23529:
Unit 42 researchers have discovered a vulnerability in the widely-used JsonWebToken open-source project. It has sent shockwaves through the web development and security communities, as it could potentially put thousands of applications at risk. Identified as CVE-2022-23529, with a CVSS score of 7.6, the vulnerability is rated high severity, meaning that it could lead to major security breaches if left unpatched.
JsonWebToken is an open-source JavaScript package developed and maintained by Auth0, and it plays a crucial role in the authentication and authorization process for thousands of applications. The package is used for the verification and signing of JWTs, which are commonly used for secure communication between client and server.
With over 20,000 applications relying on JsonWebToken for their authentication and authorization functionality, the potential impact of a compromise could be devastating.
The discovery of this vulnerability is a stark reminder that even the most widely-used and seemingly secure projects are not immune to vulnerabilities. Developers and security experts must take note of this vulnerability and take the necessary steps to protect their applications and users.
Example CVE-2022-23529:
Here is an example of an HTTP request that uses a JSON Web Token (JWT) for authorization:
This vulnerability allows an attacker to gain remote code execution (RCE) on a server by crafting a malicious JSON web token (JWT) request. Although this vulnerability allows for remote code execution, the likelihood of it being exploited in real-world attacks is low, as it has specific prerequisites that must be met in order to exploit it successfully.
Check out the world’s first API only CVE database.
Akto has its own API CVE database that tracks security vulnerabilities found in popular and common software on our website.
What is CVE-2022-23529?
The vulnerability is found within the JsonWebToken's verify() function, which is responsible for validating JWT tokens and returning the decoded information. This function accepts three parameters- token, secretkeyORPublickey and options.
The vulnerability in JsonWebToken's verify() method enables attackers to conduct arbitrary file writes on the target machine. This is possible due to the fact that the method doesn't properly validate the 'secretOrPublicKey' parameter, which is supposed to be a string or a buffer, allowing an attacker to send a maliciously crafted object in its place.
The malicious code will successfully execute and exit the node process before the .includes(‘BEGIN CERTIFICATE’) check in the verify function is performed, enabling the attacker to perform an arbitrary file write on the hosting machine.
Using the same technique makes it possible to gain remote code execution (RCE) on the targeted server, but it requires a slight modification of the payload by utilizing the child_process module.
Fix:
The Auth0 team acknowledged the vulnerability in August 2022, and on December 21, 2022, they released a patch to fix the vulnerability with the release of JsonWebToken version 9.0.0. To address the vulnerability, the code that caused the vulnerability was removed and replaced with new checks on the secretOrPublickey parameter, which now ensures that the parameter can't contain malicious objects, effectively preventing the vulnerability.
Advisory:
The Auth0 team has released a patch to address this vulnerability with the release of JsonWebToken version 9.0.0, which was made available on December 21, 2022. We strongly recommend that all users of the JWT library update to version 9.0.0 as soon as possible in order to protect their systems from this vulnerability. If you are using an older version of the JWT library, it is possible that you may be vulnerable to this issue. We recommend that you upgrade to version 9.0.0 as soon as possible to ensure the security of your systems.
Akto also offers automated testing of JWT Tokens, continuously scanning your APIs for JWT related vulnerabilities and has also introduced the world's first API only CVE database!
Reference:
Keep reading
News
7 mins
March Product News: 98 New Tests, Dynamic wordlists, and more
This edition of Akto’s newsletter is packed with new features and tests that will greatly decrease your API Security testing time and increase targeted testing.
Product updates
5 mins
Detailed Errors on Postman and Swagger File Import
Akto now replays APIs to automatically get data during an import of Postman and Swagger files and transparently displays reasons why each specific API couldn't be replayed in the case of an error.
Product updates
5 mins
Added 98 New API Security Tests across 5 OWASP categories
Akto has introduced new tests across several categories including BOLA, Broken Authentication, Unrestricted Resource Consumption, BFLA, and SSRF that you can explore with Akto’s Test Editor.