Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Applied fix for CVE-2021-31590 #128

Closed
wants to merge 1 commit into from

Conversation

Lednerb
Copy link
Contributor

@Lednerb Lednerb commented May 12, 2021

PwnDoc through 2021-05-12 has incorrect JSON Webtoken (JWT) handling, leading to incorrect access control.

Further information are provided here:
https://www.dgc.org/responsible_disclosure_pwndoc_jwt

A fix for the vulnerability is herby provided.

Signed-off-by: Sascha Brendel <mail@lednerb.eu>
@yeln4ts
Copy link
Contributor

yeln4ts commented May 18, 2021

This solution removes the utility of JWT whose goal is to avoid requesting the database on each call.
The solution I'm thinking of implementing is using a refresh-token system so that the actual JWT will have a short lifetime (~15min) and any changes to the user would be reflected after a maximum of the JWT lifetime.

@Lednerb
Copy link
Contributor Author

Lednerb commented May 20, 2021

Hi @yeln4ts

thank you for your reply.

In my opinion this would be a workaround that reduces the database requests to 1 per user in 15 minutes instead of 1~200 based on how often and heavy a user interacts with the application.

However I don't think that even 200 requests in 15 minutes per user should be a problem for the database, but sure, your proposed solution will reduce the database and cpu load a lot.

@yeln4ts
Copy link
Contributor

yeln4ts commented Aug 24, 2021

The session management has been updated in v0.4.0 introducing refreshtokens and tokens now have 15min lifetime.

@yeln4ts yeln4ts closed this Aug 24, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

2 participants