• Menu
  • Skip to main content
  • Skip to primary sidebar

The Cyber Security News

Latest Cyber Security News

Header Right

  • Latest News
  • Vulnerabilities
  • Cloud Services
Cyber Security News

Researchers Find Security Flaw in JsonWebToken Library Used By 20,000+ Projects

You are here: Home / General Cyber Security News / Researchers Find Security Flaw in JsonWebToken Library Used By 20,000+ Projects
January 10, 2023

A new substantial-severity vulnerability has been observed in the popular JsonWebToken open-source JavaScript package deal.

By exploiting the flaw, an attacker could perform distant code execution (RCE) on a server verifying a maliciously crafted JSON web token (JWT) request, described Palo Alto Networks in a Monday advisory.

From a specialized standpoint, JsonWebToken, which is developed and managed by Auth0, allows developers to validate/indicator JWTs and is principally made use of for authorization and authentication uses.

✔ Approved Seller From Our Partners
Mullvad VPN Discount

Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).

➤ Get Mullvad VPN with 12% Discount


At the time of writing, the package deal has more than nine million weekly downloads and more than 20,000 dependent jobs. For the reason that of this, Palo Alto Networks security researcher Artur Oleyarsh mentioned the workforce promptly warned Auth0 when it 1st found out the vulnerability (tracked CVE-2022-23529) in July 2022.

“Generally, attacks on JWTs will involve unique forgery procedures abusing buggy JWT implementations,” Oleyarsh wrote.

“These sorts of attacks have serious effects mainly because, in most circumstances, a profitable attack enables an attacker to bypass authentication and authorization mechanisms to access confidential facts or steal and/or modify data.”

At the identical time, the Palo Alto Networks researcher clarified that to exploit the vulnerability, an attacker have to also get edge of a flaw inside of the key administration method. Due to the complexity of the vulnerability, Palo Alto Networks prompt a CVSS rating of 7.6.

According to the security pro, the Auth0 engineering crew delivered a patch for the flaw in December 2022.

“We would like to thank the Auth0 workforce for professionally managing the disclosure course of action and offering a patch for the documented vulnerability,” Oleyarsh added.

Additional usually, the cybersecurity professional mentioned security awareness is critical when utilizing open-resource software.

“Examining normally employed security open up supply implementations is important for retaining their dependability, and it truly is anything the open source local community can choose section in.”

The vulnerability comes amidst a gargantuan increase in destructive action concentrating on upstream open-source code repositories in the last months of 2022.


Some parts of this post are sourced from:
www.infosecurity-journal.com

Previous Post: «strongpity hackers distribute trojanized telegram app to target android users StrongPity Hackers Distribute Trojanized Telegram App to Target Android Users
Next Post: US Supreme Court Allows WhatsApp to Sue NSO Group Cyber Security News»

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Report This Article

Recent Posts

  • Qilin Ransomware Adds “Call Lawyer” Feature to Pressure Victims for Larger Ransoms
  • Iran’s State TV Hijacked Mid-Broadcast Amid Geopolitical Tensions; $90M Stolen in Crypto Heist
  • 6 Steps to 24/7 In-House SOC Success
  • Massive 7.3 Tbps DDoS Attack Delivers 37.4 TB in 45 Seconds, Targeting Hosting Provider
  • 67 Trojanized GitHub Repositories Found in Campaign Targeting Gamers and Developers
  • New Android Malware Surge Hits Devices via Overlays, Virtualization Fraud and NFC Theft
  • BlueNoroff Deepfake Zoom Scam Hits Crypto Employee with MacOS Backdoor Malware
  • Secure Vibe Coding: The Complete New Guide
  • Uncover LOTS Attacks Hiding in Trusted Tools — Learn How in This Free Expert Session
  • Russian APT29 Exploits Gmail App Passwords to Bypass 2FA in Targeted Phishing Campaign

Copyright © TheCyberSecurity.News, All Rights Reserved.