A high-severity safety flaw has been disclosed within the open supply jsonwebtoken (JWT) library that, if efficiently exploited, might result in distant code execution on a goal server.
“By exploiting this vulnerability, attackers might obtain distant code execution (RCE) on a server verifying a maliciously crafted JSON net token (JWT) request,” Palo Alto Networks Unit 42 researcher Artur Oleyarsh mentioned in a Monday report.
Tracked as CVE-2022-23529 (CVSS rating: 7.6), the problem impacts all variations of the library, together with and beneath 8.5.1, and has been addressed in model 9.0.0 shipped on December 21, 2022. The flaw was reported by the cybersecurity firm on July 13, 2022.
jsonwebtoken, which is developed and maintained by Okta’s Auth0, is a JavaScript module that permits customers to decode, confirm, and generate JSON net tokens as a method of securely transmitting info between two events for authorization and authentication. It has over 10 million weekly downloads on the npm software program registry and is utilized by greater than 22,000 tasks.
Due to this fact, the power to run malicious code on a server might break confidentiality and integrity ensures, doubtlessly enabling a foul actor to overwrite arbitrary recordsdata on the host and carry out any motion of their selecting utilizing a poisoned secret key.
“With that being mentioned, so as to exploit the vulnerability described on this put up and management the secretOrPublicKey worth, an attacker might want to exploit a flaw throughout the secret administration course of,” Oleyarsh defined.
As open supply software program more and more emerges as a profitable preliminary entry pathway for menace actors to stage provide chain assaults, it is essential that vulnerabilities in such instruments are proactively recognized, mitigated, and patched by downstream customers.
Making issues worse is the truth that cybercriminals have change into a lot quicker at exploiting newly revealed flaws, drastically shrinking the time between a patch launch and exploit availability. In keeping with Microsoft, it solely takes 14 days on common for an exploit to be detected within the wild after public disclosure of a bug.
To fight this downside of vulnerability discovery, Google, final month, introduced the discharge of OSV-Scanner, an open supply utility that goals to determine all transitive dependencies of a venture and spotlight related shortcomings impacting it.
