By exploiting the flaw, an attacker could perform distant code execution (RCE) on a server verifying a maliciously crafted JSON web token (JWT) request, described Palo Alto Networks in a Monday advisory.
From a specialized standpoint, JsonWebToken, which is developed and managed by Auth0, allows developers to validate/indicator JWTs and is principally made use of for authorization and authentication uses.
At the time of writing, the package deal has more than nine million weekly downloads and more than 20,000 dependent jobs. For the reason that of this, Palo Alto Networks security researcher Artur Oleyarsh mentioned the workforce promptly warned Auth0 when it 1st found out the vulnerability (tracked CVE-2022-23529) in July 2022.
“Generally, attacks on JWTs will involve unique forgery procedures abusing buggy JWT implementations,” Oleyarsh wrote.
“These sorts of attacks have serious effects mainly because, in most circumstances, a profitable attack enables an attacker to bypass authentication and authorization mechanisms to access confidential facts or steal and/or modify data.”
At the identical time, the Palo Alto Networks researcher clarified that to exploit the vulnerability, an attacker have to also get edge of a flaw inside of the key administration method. Due to the complexity of the vulnerability, Palo Alto Networks prompt a CVSS rating of 7.6.
According to the security pro, the Auth0 engineering crew delivered a patch for the flaw in December 2022.
“We would like to thank the Auth0 workforce for professionally managing the disclosure course of action and offering a patch for the documented vulnerability,” Oleyarsh added.
Additional usually, the cybersecurity professional mentioned security awareness is critical when utilizing open-resource software.
“Examining normally employed security open up supply implementations is important for retaining their dependability, and it truly is anything the open source local community can choose section in.”
The vulnerability comes amidst a gargantuan increase in destructive action concentrating on upstream open-source code repositories in the last months of 2022.
Some parts of this post are sourced from: