GHSA-7322-JRQ4-X5HF

Vulnerability from github – Published: 2021-09-29 17:09 – Updated: 2021-09-29 18:04
VLAI?
Summary
File reference keys leads to incorrect hashes on HMAC algorithms
Details

Impact

Users of HMAC-based algorithms (HS256, HS384, and HS512) combined with Lcobucci\JWT\Signer\Key\LocalFileReference as key are having their tokens issued/validated using the file path as hashing key - instead of the contents.

The HMAC hashing functions take any string as input and, since users can issue and validate tokens, people are lead to believe that everything works properly.

Patches

All versions have been patched to always load the file contents, deprecated the Lcobucci\JWT\Signer\Key\LocalFileReference, and suggest Lcobucci\JWT\Signer\Key\InMemory as the alternative.

Workarounds

Use Lcobucci\JWT\Signer\Key\InMemory instead of Lcobucci\JWT\Signer\Key\LocalFileReference to create the instances of your keys:

-use Lcobucci\JWT\Signer\Key\LocalFileReference;
+use Lcobucci\JWT\Signer\Key\InMemory;

-$key = LocalFileReference::file(__DIR__ . '/public-key.pem');
+$key = InMemory::file(__DIR__ . '/public-key.pem');
Severity ?
4.4 (Medium)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "lcobucci/jwt"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.4.0"
            },
            {
              "fixed": "3.4.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "lcobucci/jwt"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0"
            },
            {
              "fixed": "4.0.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "lcobucci/jwt"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.1.0"
            },
            {
              "fixed": "4.1.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-41106"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-345"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-09-28T21:27:18Z",
    "nvd_published_at": "2021-09-28T21:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nUsers of HMAC-based algorithms (HS256, HS384, and HS512) combined with `Lcobucci\\JWT\\Signer\\Key\\LocalFileReference` as key are having their tokens issued/validated using the file path as hashing key - instead of the contents.\n\nThe HMAC hashing functions take any string as input and, since users can issue and validate tokens, people are lead to believe that everything works properly.\n\n### Patches\n\nAll versions have been patched to always load the file contents, deprecated the `Lcobucci\\JWT\\Signer\\Key\\LocalFileReference`, and suggest `Lcobucci\\JWT\\Signer\\Key\\InMemory` as the alternative.\n\n### Workarounds\n\nUse `Lcobucci\\JWT\\Signer\\Key\\InMemory` instead of `Lcobucci\\JWT\\Signer\\Key\\LocalFileReference` to create the instances of your keys:\n\n```diff\n-use Lcobucci\\JWT\\Signer\\Key\\LocalFileReference;\n+use Lcobucci\\JWT\\Signer\\Key\\InMemory;\n\n-$key = LocalFileReference::file(__DIR__ . \u0027/public-key.pem\u0027);\n+$key = InMemory::file(__DIR__ . \u0027/public-key.pem\u0027);\n```",
  "id": "GHSA-7322-jrq4-x5hf",
  "modified": "2021-09-29T18:04:31Z",
  "published": "2021-09-29T17:09:40Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/lcobucci/jwt/security/advisories/GHSA-7322-jrq4-x5hf"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41106"
    },
    {
      "type": "WEB",
      "url": "https://github.com/lcobucci/jwt/commit/8175de5b841fbe3fd97d2d49b3fc15c4ecb39a73"
    },
    {
      "type": "WEB",
      "url": "https://github.com/lcobucci/jwt/commit/c45bb8b961a8e742d8f6b88ef5ff1bd5cca5d01c"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/lcobucci/jwt/CVE-2021-41106.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/lcobucci/jwt"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "File reference keys leads to incorrect hashes on HMAC algorithms"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.