JWT signature validation can be bypassed in versions <= 1.3.0 #3
Assignees
Comments
robotdan
pushed a commit
that referenced
this issue
May 2, 2018
|
Hi @rcadob thank you for reporting this issue. The issue has been patched. |
|
Fixed under abb0d47 |
mooreds
added a commit
to mooreds/fusionauth-jwt
that referenced
this issue
Jul 29, 2024
Added disclosure for CVE-2021-27736
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Summary
The prime-jwt implementation allows that any not-signed JWT be decoded and, therefore, validated by JWTDecoder class, even when a Verifier object is provided. This issue affects versions <= 1.3.0.
For security reasons, I'm contacting the developers by email with the necessary technical details.
Description
When the JWT.getDecoder().decode(String, Verifier...) is called, the JWT signature will be ignored due to a lack of validation in JWTDecoder. A new condition should be added in this class to prevent that any encodedJWT without the signature part be decoded if exists at least 1 verifier object.
The text was updated successfully, but these errors were encountered: