2169378 – (CVE-2022-23540) CVE-2022-23540 jsonwebtoken: Insecure default algorithm in jwt.verify() could lead to signature validation bypass

Bug 2169378 (CVE-2022-23540) - CVE-2022-23540 jsonwebtoken: Insecure default algorithm in jwt.verify() could lead to signature validation bypass

Summary: CVE-2022-23540 jsonwebtoken: Insecure default algorithm in jwt.verify() could...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2022-23540
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2169428
Blocks:	2169391
TreeView+	depends on / blocked

Reported:	2023-02-13 13:23 UTC by Avinash Hanwate
Modified:	2023-06-23 01:44 UTC (History)
CC List:	8 users (show)
Fixed In Version:	jsonwebtoken 9.0.0
Doc Type:	---
Doc Text:	A flaw was found in the jsonwebtoken library. In affected versions of the jsonwebtoken library, lack of algorithm definition and a falsy secret or key in the jwt.verify() function may lead to signature validation bypass due to defaulting to the none algorithm for signature verification.
Clone Of:
Environment:
Last Closed:	2023-06-23 01:44:55 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2023:3742	0	None	None	None	2023-06-22 19:52:22 UTC

Description Avinash Hanwate 2023-02-13 13:23:56 UTC

In versions `<=8.5.1` of `jsonwebtoken` library, lack of algorithm definition in the `jwt.verify()` function can lead to signature validation bypass due to defaulting to the `none` algorithm for signature verification. Users are affected if you do not specify algorithms in the `jwt.verify()` function. This issue has been fixed, please update to version 9.0.0 which removes the default support for the none algorithm in the `jwt.verify()` method. There will be no impact, if you update to version 9.0.0 and you don’t need to allow for the `none` algorithm. If you need 'none' algorithm, you have to explicitly specify that in `jwt.verify()` options.

https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-qwph-4952-7xr6
https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3

Comment 3 errata-xmlrpc 2023-06-22 19:52:20 UTC

This issue has been addressed in the following products:

  RHODF-4.13-RHEL-9

Via RHSA-2023:3742 https://access.redhat.com/errata/RHSA-2023:3742

Comment 4 Product Security DevOps Team 2023-06-23 01:44:52 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-23540

Note You need to log in before you can comment on or make changes to this bug.