A vulnerability has been discovered in the OpenID Connect JWKS (JSON Web Key Set) endpoint at *.portkey.finance/.well-known/jwks. This vulnerability allows unauthenticated access, which can be exploited for a variety of malicious purposes.
The OpenID Connect JWKS (JSON Web Key Set) endpoint at *.portkey.finance/.well-known/jwks does not require authentication, allowing unauthorized access. This can be exploited by attackers for a variety of malicious purposes, including key theft, DoS attacks, and MitM attacks.
Key Theft: Attackers can steal the private keys used to sign JWTs, allowing them to forge user identities and access protected resources.
Denial-of-Service (DoS) Attacks: Attackers can flood the endpoint with requests, making it unavailable to legitimate users.
Man-in-the-Middle (MitM) Attacks: Attackers can intercept communication between clients and the endpoint, steal JWTs, and use them to access protected resources.
Mitigation:
Enforce authentication: Require authentication before allowing access to the JWKS endpoint.
Restrict access: Limit access to the JWKS endpoint to only authorized clients.
Use IP blacklisting: Blacklist IP addresses suspected of malicious activity.
Monitor activity: Monitor activity on the JWKS endpoint for suspicious activity.
Recommendations:
Patch this vulnerability immediately to prevent further exploitation.
Follow best practices for OpenID Connect, such as using HTTPS and implementing strong access controls.
Summary:
A vulnerability has been discovered in the OpenID Connect JWKS (JSON Web Key Set) endpoint at *.portkey.finance/.well-known/jwks. This vulnerability allows unauthenticated access, which can be exploited for a variety of malicious purposes.
OWASP Classification: A10 - Broken Authentication
Description:
The OpenID Connect JWKS (JSON Web Key Set) endpoint at *.portkey.finance/.well-known/jwks does not require authentication, allowing unauthorized access. This can be exploited by attackers for a variety of malicious purposes, including key theft, DoS attacks, and MitM attacks.
Impact:
Mitigation:
Recommendations:
OWASP References: