Tuesday, January 10, 2023
HomeCyber SecurityExtreme Safety Flaw Present in "jsonwebtoken" Library Utilized by 22,000+ Tasks

Extreme Safety Flaw Present in “jsonwebtoken” Library Utilized by 22,000+ Tasks


Jan 10, 2023Ravie LakshmananSoftware program Safety / Provide Chain

A high-severity safety flaw has been disclosed within the open supply jsonwebtoken (JWT) library that, if efficiently exploited, might result in distant code execution on a goal server.

“By exploiting this vulnerability, attackers might obtain distant code execution (RCE) on a server verifying a maliciously crafted JSON net token (JWT) request,” Palo Alto Networks Unit 42 researcher Artur Oleyarsh mentioned in a Monday report.

Tracked as CVE-2022-23529 (CVSS rating: 7.6), the problem impacts all variations of the library, together with and under 8.5.1, and has been addressed in model 9.0.0 shipped on December 21, 2022. The flaw was reported by the cybersecurity firm on July 13, 2022.

jsonwebtoken, which is developed and maintained by Okta’s Auth0, is a JavaScript module that permits customers to decode, confirm, and generate JSON net tokens as a way of securely transmitting data between two events for authorization and authentication. It has over 10 million weekly downloads on the npm software program registry and is utilized by greater than 22,000 tasks.

Due to this fact, the flexibility to run malicious code on a server might break confidentiality and integrity ensures, doubtlessly enabling a nasty actor to overwrite arbitrary information on the host and carry out any motion of their selecting utilizing a poisoned secret key.

high-severity security flaw

“With that being mentioned, with a purpose to exploit the vulnerability described on this put up and management the secretOrPublicKey worth, an attacker might want to exploit a flaw inside the secret administration course of,” Oleyarsh defined.

As open supply software program more and more emerges as a profitable preliminary entry pathway for menace actors to stage provide chain assaults, it is essential that vulnerabilities in such instruments are proactively recognized, mitigated, and patched by downstream customers.

Making issues worse is the truth that cybercriminals have grow to be a lot quicker at exploiting newly revealed flaws, drastically shrinking the time between a patch launch and exploit availability. In accordance with Microsoft, it solely takes 14 days on common for an exploit to be detected within the wild after public disclosure of a bug.

To fight this drawback of vulnerability discovery, Google, final month, introduced the discharge of OSV-Scanner, an open supply utility that goals to determine all transitive dependencies of a mission and spotlight related shortcomings impacting it.

Discovered this text fascinating? Comply with us on Twitter and LinkedIn to learn extra unique content material we put up.





Supply hyperlink

RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

- Advertisment -
Google search engine

Most Popular

Recent Comments