wisienka91
commented
1 year ago @nemmerich Could you please provide more details on the issue? Steps to reproduce, etc? Thanks in advance and Best Regards,
Open nemmerich opened 1 year ago
wisienka91
commented
1 year ago @nemmerich Could you please provide more details on the issue? Steps to reproduce, etc? Thanks in advance and Best Regards,
odiferousmint
commented
1 year ago Can you please make the fix public? I do not see how it would be possible given that verification of the JWT (including claims) is actually performed, see:
https://github.com/cdbattags/lua-resty-jwt/blob/master/lib/resty/jwt.lua#L935
I will take a deeper look at the function(s). So far I have found nothing. I hope you will be able to give us the fix to the vulnerability, especially after a whole year.
nemmerich
commented
1 year ago The fix is provided in PR https://github.com/cdbattags/lua-resty-jwt/pull/62.
odiferousmint
commented
1 year ago Thank you, it is much appreciated!
wisienka91
commented
1 year ago Thanks a lot!
nemmerich
commented
11 months ago For those who want to read more about this issue can do so here: https://insinuator.net/2023/10/lua-resty-jwt-authentication-bypass/
weiwuprojects
commented
1 month ago I see that a fix was merged to address this but there was no tag created to bump the version of this library. The corresponding lib page on luarocks also shows the latest version as only 0.2.3. Can someone please release version 0.2.4? @cdbattags
bewinsnw
commented
1 month ago @weiwuprojects I noticed the same thing, but also that https://github.com/api7/lua-resty-jwt/pull/8 has the fix and is in luarocks as https://luarocks.org/modules/membphis/api7-lua-resty-jwt. I'm not connected with either. The patches applied over there look like the patches proposed here.
weiwuprojects
commented
1 month ago Thanks for the input @bewinsnw. I wound up just installing from source at the fix's revision: git clone --recurse-submodules https://github.com/cdbattags/lua-resty-jwt && cd lua-resty-jwt && git reset --hard d1558e2 && luarocks make lua-resty-jwt-dev-0.rockspec
On the 13th of June 2022 we reported an authentication bypass in this library to @cdbattags. Due to time constraints on their side we privately provided a patch that should fix the issue on the 29th of July 2022. Since then we inquired about the patch multiple times. The maintainer confirmed receipt of the patch but it was never applied.
As this vulnerability was now reported a year ago, this GitHub issue is intended to warn users of this library about the authentication bypass.
We hope the patch will be implemented in the near future and kindly ask the maintainer to create a GitHub Security Advisory afterwards (https://docs.github.com/en/code-security/security-advisories/repository-security-advisories/about-repository-security-advisories.
On behalf of ERNW