json-jwt allows bypass of identity checks via a sign/encryption

nov / json-jwt

JSON Web Token and its family (JSON Web Signature, JSON Web Encryption and JSON Web Key) in Ruby

MIT License

299 stars 80 forks source link

json-jwt allows bypass of identity checks via a sign/encryption #120

Closed Shoaib19 closed 6 months ago

Shoaib19 commented 6 months ago

I am getting the error is it resolved in 1.16.6?

The json-jwt (aka JSON::JWT) gem versions 1.16.5 and below sometimes allows bypass of identity checks via a sign/encryption confusion attack. For example, JWE can sometimes be used to bypass JSON::JWT.decode.

bramn commented 6 months ago

Not according to bundle-audit:


ruby-advisory-db:
  advisories:   877 advisories
  last updated: 2024-03-02 13:38:12 -0800
  commit:   973ee9391883d41454c48851116c774f1bfc78c8
Name: json-jwt
Version: 1.16.6
CVE: CVE-2023-51774
GHSA: GHSA-c8v6-786g-vjx6
Criticality: Unknown
URL: https://github.com/P3ngu1nW/CVE_Request/blob/main/novjson-jwt.md
Title: json-jwt allows bypass of identity checks via a sign/encryption confusion attack
Solution: remove or disable this gem until a patch is available!```

nov commented 6 months ago

https://github.com/nov/json-jwt/issues/118#issuecomment-1975078892

Shoaib19 commented 6 months ago

@nov Yeah I see but the bundle audit still producing the warning CI run it for verification, can you also fix that?

nov commented 6 months ago

I have no idea how to fix that.

annettemccullough commented 6 months ago

Has v1.16.6 be released, I don't see it in https://github.com/nov/json-jwt/releases

Shoaib19 commented 6 months ago

@annettemccullough here it is https://rubygems.org/gems/json-jwt/versions/1.16.6

Shoaib19 commented 6 months ago

The issue has been resolved by this PR #3876 just need to update the gem to 1.16.6 or later.