Skip to content

Password bypass vulnerability #12927

Closed
Closed
@a1ien

Description

@a1ien

We can authorize by any user. For that we can use jwt token with empty shared_secret.
It's happen because

case BearerAuthentication:
keyLookupFn := func(token *jwt.Token) (interface{}, error) {
// Check for expected signing method.
if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"])
}
return []byte(h.Config.SharedSecret), nil
}
// Parse and validate the token.
token, err := jwt.Parse(creds.Token, keyLookupFn)
if err != nil {
h.httpError(w, err.Error(), http.StatusUnauthorized)
return
} else if !token.Valid {
h.httpError(w, "invalid token", http.StatusUnauthorized)
return
}
here we not check that h.Config.SharedSecret is not empty string.
In Authentication and authorization in InfluxDB document we not mention anything about shared-secret variable.

Also sems like we also not check exp state of token. And once generated token valid forewer.

Metadata

Metadata

Labels

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions