Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

JWT signature validation can be bypassed in versions <= 1.3.0 #3

Closed
rcadob opened this issue May 2, 2018 · 2 comments
Closed

JWT signature validation can be bypassed in versions <= 1.3.0 #3

rcadob opened this issue May 2, 2018 · 2 comments
Assignees
@robotdan

Comments

@rcadob
Copy link

rcadob commented May 2, 2018

Summary

The prime-jwt implementation allows that any not-signed JWT be decoded and, therefore, validated by JWTDecoder class, even when a Verifier object is provided. This issue affects versions <= 1.3.0.

For security reasons, I'm contacting the developers by email with the necessary technical details.

Description

When the JWT.getDecoder().decode(String, Verifier...) is called, the JWT signature will be ignored due to a lack of validation in JWTDecoder. A new condition should be added in this class to prevent that any encodedJWT without the signature part be decoded if exists at least 1 verifier object.
robotdan added a commit that referenced this issue May 2, 2018
@robotdan
Fixing issue #3 and adding tests to confirm.
abb0d47
@robotdan
Copy link
Member

robotdan commented May 2, 2018

Hi @rcadob thank you for reporting this issue. The issue has been patched.

@robotdan robotdan self-assigned this Jun 28, 2018
@robotdan
Copy link
Member

Fixed under abb0d47

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@robotdan robotdan

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@robotdan @rcadob