Lucene search

K
osvGoogleOSV:GHSA-3FVG-4V2M-98JF
HistoryJun 25, 2022 - 7:19 a.m.

JWS and JWT signature validation vulnerability with special characters

2022-06-2507:19:06
Google
osv.dev
12
jsrsasign
jws
jwt
signature
validation
vulnerability
special characters
base64url
encoding
authentication
authorization
cvss 3.1
patch
upgrade
workaround
validation
adi malyanker
or david
snyk security team
coordinate
cve-2022-25898

AI Score

9.6

Confidence

High

EPSS

0.01

Percentile

83.7%

Impact

Jsrsasign supports JWS(JSON Web Signatures) and JWT(JSON Web Token) validation. However JWS or JWT signature with non Base64URL encoding special characters or number escaped characters may be validated as valid by mistake.

For example, even if a string of non Base64URL encoding characters such as !@$% or \11 is inserted into a valid JWS or JWT signature value string, it will still be a valid JWS or JWT signature by mistake.

When jsrsasign’s JWS or JWT validation is used in OpenID connect or OAuth2, this vulnerability will affect to authentication or authorization.

By our internal assessment, CVSS 3.1 score will be 8.6.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N

Patches

Users validate JWS or JWT signatures should upgrade to 10.5.25.

Workarounds

Validate JWS or JWT signature if it has Base64URL and dot safe string before
executing JWS.verify() or JWS.verifyJWT() method.

ACKNOWLEDGEMENT

Thanks to Adi Malyanker and Or David for this vulnerability report. Also thanks for Snyk security team for this coordination.

References

https://github.com/kjur/jsrsasign/releases/tag/10.5.25
https://github.com/kjur/jsrsasign/security/advisories/GHSA-3fvg-4v2m-98jf kjur’s advisories
https://github.com/advisories/GHSA-3fvg-4v2m-98jf github advisories
https://vulners.com/cve/CVE-2022-25898
https://kjur.github.io/jsrsasign/api/symbols/KJUR.jws.JWS.html#.verifyJWT
https://kjur.github.io/jsrsasign/api/symbols/KJUR.jws.JWS.html#.verify
https://kjur.github.io/jsrsasign/api/symbols/global__.html#.isBase64URLDot
https://github.com/kjur/jsrsasign/wiki/Tutorial-for-JWS-verification
https://github.com/kjur/jsrsasign/wiki/Tutorial-for-JWT-verification
https://security.snyk.io/vuln/SNYK-JS-JSRSASIGN-2869122

CPENameOperatorVersion
jsrsasignge4.8.0
jsrsasignlt10.5.25

AI Score

9.6

Confidence

High

EPSS

0.01

Percentile

83.7%

Related for OSV:GHSA-3FVG-4V2M-98JF