Closed davidwayfinder closed 8 months ago
nov
commented
8 months ago How you could build such vulnerable application using this gem? I don't think you can.
JWS decode output is Hash-like object, and JWE decode output is just an object including String payload.
postmodern
commented
8 months ago @nov you will need to contest this CVE, otherwise it's going to stay in security advisory databases and people will keep asking for a patch. https://nvd.nist.gov/general/FAQ-Sections/General-FAQs#faqLink4
nov
commented
8 months ago this should be enough to prevent mixup of blank payload JWS w/ JWE. https://github.com/nov/json-jwt/commit/9c4d842a9465bd7960570ca326c3de79b4abc9d0
otherwise, payload access will raise exception when JWE is given.
postmodern
commented
8 months ago @nov I see that version 1.16.6 was released with the change to the logic. Should I update the CVE data in ruby-advisory-db and GHSA?
Just listing this as a known security vulnerability.
Vulnerable to Improper Verification of Cryptographic Signature due to a sign/encryption confusion attack via the JSON::JWT.decode function . An attacker can bypass identity checks by exploiting the confusion between signature and encryption mechanisms in the token verification process.