Lucene search

[email protected]CVE-2021-41106

HistorySep 28, 2021 - 9:15 p.m.

CVE-2021-41106

2021-09-2821:15:07

CWE-345

[email protected]

web.nvd.nist.gov

cve

2021

41106

jwt library

json web token

security vulnerability

hmac-based algorithms

token issuance

token validation

localfilereference

inmemory

nvd

2.1 Low

CVSS2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:L/AC:L/Au:N/C:N/I:P/A:N

4.4 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

4 Medium

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

17.3%

JSON

JWT is a library to work with JSON Web Token and JSON Web Signature. Prior to versions 3.4.6, 4.0.4, and 4.1.5, users of HMAC-based algorithms (HS256, HS384, and HS512) combined with Lcobucci\JWT\Signer\Key\LocalFileReference as key are having their tokens issued/validated using the file path as hashing key - instead of the contents. The HMAC hashing functions take any string as input and, since users can issue and validate tokens, users are lead to believe that everything works properly. Versions 3.4.6, 4.0.4, and 4.1.5 have been patched to always load the file contents, deprecated the Lcobucci\JWT\Signer\Key\LocalFileReference, and suggest Lcobucci\JWT\Signer\Key\InMemory as the alternative. As a workaround, use Lcobucci\JWT\Signer\Key\InMemory instead of Lcobucci\JWT\Signer\Key\LocalFileReference to create the instances of one’s keys.

Affected configurations

Vulners

NVD

Node

lcobuccijwtRange3.4.0–3.4.6

lcobuccijwtRange4.0.0–4.0.4

lcobuccijwtRange4.1.0–4.1.5

CPENameOperatorVersion
jwt_project:jwtjwt project jwtlt3.4.6
jwt_project:jwtjwt project jwtlt4.0.4
jwt_project:jwtjwt project jwtlt4.1.5

CPE	Name	Operator	Version
jwt_project:jwt	jwt project jwt	lt	3.4.6
jwt_project:jwt	jwt project jwt	lt	4.0.4
jwt_project:jwt	jwt project jwt	lt	4.1.5

CNA Affected

[
  {
    "product": "jwt",
    "vendor": "lcobucci",
    "versions": [
      {
        "status": "affected",
        "version": ">= 3.4.0, < 3.4.6"
      },
      {
        "status": "affected",
        "version": ">= 4.0.0, < 4.0.4"
      },
      {
        "status": "affected",
        "version": ">= 4.1.0, < 4.1.5"
      }
    ]
  }
]

References

github.com/lcobucci/jwt/commit/8175de5b841fbe3fd97d2d49b3fc15c4ecb39a73

github.com/lcobucci/jwt/commit/c45bb8b961a8e742d8f6b88ef5ff1bd5cca5d01c

github.com/lcobucci/jwt/security/advisories/GHSA-7322-jrq4-x5hf

2.1 Low

CVSS2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:L/AC:L/Au:N/C:N/I:P/A:N

4.4 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

4 Medium

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

17.3%

JSON

Related for CVE-2021-41106

friendsofphp2 nvd1 osv2 github1 cvelist1 prion1