GHSA-3FVG-4V2M-98JF
Vulnerability from github – Published: 2022-06-25 07:19 – Updated: 2022-07-05 21:25Impact
Jsrsasign supports JWS(JSON Web Signatures) and JWT(JSON Web Token) validation. However JWS or JWT signature with non Base64URL encoding special characters or number escaped characters may be validated as valid by mistake.
For example, even if a string of non Base64URL encoding characters such as !@$% or \11 is inserted into a valid JWS or JWT signature value string, it will still be a valid JWS or JWT signature by mistake.
When jsrsasign's JWS or JWT validation is used in OpenID connect or OAuth2, this vulnerability will affect to authentication or authorization.
By our internal assessment, CVSS 3.1 score will be 8.6. CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
Patches
Users validate JWS or JWT signatures should upgrade to 10.5.25.
Workarounds
Validate JWS or JWT signature if it has Base64URL and dot safe string before executing JWS.verify() or JWS.verifyJWT() method.
ACKNOWLEDGEMENT
Thanks to Adi Malyanker and Or David for this vulnerability report. Also thanks for Snyk security team for this coordination.
References
https://github.com/kjur/jsrsasign/releases/tag/10.5.25 https://github.com/kjur/jsrsasign/security/advisories/GHSA-3fvg-4v2m-98jf kjur's advisories https://github.com/advisories/GHSA-3fvg-4v2m-98jf github advisories https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25898 https://kjur.github.io/jsrsasign/api/symbols/KJUR.jws.JWS.html#.verifyJWT https://kjur.github.io/jsrsasign/api/symbols/KJUR.jws.JWS.html#.verify https://kjur.github.io/jsrsasign/api/symbols/global__.html#.isBase64URLDot https://github.com/kjur/jsrsasign/wiki/Tutorial-for-JWS-verification https://github.com/kjur/jsrsasign/wiki/Tutorial-for-JWT-verification https://security.snyk.io/vuln/SNYK-JS-JSRSASIGN-2869122
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "jsrsasign"
},
"ranges": [
{
"events": [
{
"introduced": "4.8.0"
},
{
"fixed": "10.5.25"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-25898"
],
"database_specific": {
"cwe_ids": [
"CWE-347"
],
"github_reviewed": true,
"github_reviewed_at": "2022-06-25T07:19:06Z",
"nvd_published_at": "2022-07-01T20:15:00Z",
"severity": "HIGH"
},
"details": "### Impact\n\nJsrsasign supports JWS(JSON Web Signatures) and JWT(JSON Web Token) validation. However JWS or JWT signature with non Base64URL encoding special characters or number escaped characters may be validated as valid by mistake.\n\nFor example, even if a string of non Base64URL encoding characters such as `!@$%` or `\\11` is inserted into a valid JWS or JWT signature value string, it will still be a valid JWS or JWT signature by mistake.\n\nWhen jsrsasign\u0027s JWS or JWT validation is used in OpenID connect or OAuth2, this vulnerability will affect to authentication or authorization.\n\nBy our internal assessment, CVSS 3.1 score will be 8.6.\nCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N\n\n### Patches\nUsers validate JWS or JWT signatures should upgrade to 10.5.25.\n\n### Workarounds\nValidate JWS or JWT signature if it has Base64URL and dot safe string before\nexecuting JWS.verify() or JWS.verifyJWT() method.\n\n### ACKNOWLEDGEMENT\n\nThanks to Adi Malyanker and Or David for this vulnerability report. Also thanks for [Snyk security team](https://snyk.io/) for this coordination.\n\n### References\nhttps://github.com/kjur/jsrsasign/releases/tag/10.5.25\nhttps://github.com/kjur/jsrsasign/security/advisories/GHSA-3fvg-4v2m-98jf kjur\u0027s advisories\nhttps://github.com/advisories/GHSA-3fvg-4v2m-98jf github advisories\nhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25898\nhttps://kjur.github.io/jsrsasign/api/symbols/KJUR.jws.JWS.html#.verifyJWT\nhttps://kjur.github.io/jsrsasign/api/symbols/KJUR.jws.JWS.html#.verify\nhttps://kjur.github.io/jsrsasign/api/symbols/global__.html#.isBase64URLDot\nhttps://github.com/kjur/jsrsasign/wiki/Tutorial-for-JWS-verification\nhttps://github.com/kjur/jsrsasign/wiki/Tutorial-for-JWT-verification\nhttps://security.snyk.io/vuln/SNYK-JS-JSRSASIGN-2869122\n",
"id": "GHSA-3fvg-4v2m-98jf",
"modified": "2022-07-05T21:25:54Z",
"published": "2022-06-25T07:19:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25898"
},
{
"type": "WEB",
"url": "https://github.com/kjur/jsrsasign/commit/4536a6e9e8bcf1a644ab7c07ed96e453347dae41"
},
{
"type": "WEB",
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25898"
},
{
"type": "PACKAGE",
"url": "https://github.com/kjur/jsrsasign"
},
{
"type": "WEB",
"url": "https://github.com/kjur/jsrsasign/releases/tag/10.5.25"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-2935898"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBKJUR-2935897"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2935896"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JS-JSRSASIGN-2869122"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "JWS and JWT signature validation vulnerability with special characters"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.