ghsa-7322-jrq4-x5hf
Vulnerability from github
Published
2021-09-29 17:09
Modified
2021-09-29 18:04
Severity ?
4.4 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Summary
File reference keys leads to incorrect hashes on HMAC algorithms
Details

Impact

Users of HMAC-based algorithms (HS256, HS384, and HS512) combined with Lcobucci\JWT\Signer\Key\LocalFileReference as key are having their tokens issued/validated using the file path as hashing key - instead of the contents.

The HMAC hashing functions take any string as input and, since users can issue and validate tokens, people are lead to believe that everything works properly.

Patches

All versions have been patched to always load the file contents, deprecated the Lcobucci\JWT\Signer\Key\LocalFileReference, and suggest Lcobucci\JWT\Signer\Key\InMemory as the alternative.

Workarounds

Use Lcobucci\JWT\Signer\Key\InMemory instead of Lcobucci\JWT\Signer\Key\LocalFileReference to create the instances of your keys:

```diff -use Lcobucci\JWT\Signer\Key\LocalFileReference; +use Lcobucci\JWT\Signer\Key\InMemory;

-$key = LocalFileReference::file(DIR . '/public-key.pem'); +$key = InMemory::file(DIR . '/public-key.pem'); ```

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "lcobucci/jwt"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.4.0"
            },
            {
              "fixed": "3.4.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "lcobucci/jwt"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0"
            },
            {
              "fixed": "4.0.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "lcobucci/jwt"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.1.0"
            },
            {
              "fixed": "4.1.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-41106"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-345"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-09-28T21:27:18Z",
    "nvd_published_at": "2021-09-28T21:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nUsers of HMAC-based algorithms (HS256, HS384, and HS512) combined with `Lcobucci\\JWT\\Signer\\Key\\LocalFileReference` as key are having their tokens issued/validated using the file path as hashing key - instead of the contents.\n\nThe HMAC hashing functions take any string as input and, since users can issue and validate tokens, people are lead to believe that everything works properly.\n\n### Patches\n\nAll versions have been patched to always load the file contents, deprecated the `Lcobucci\\JWT\\Signer\\Key\\LocalFileReference`, and suggest `Lcobucci\\JWT\\Signer\\Key\\InMemory` as the alternative.\n\n### Workarounds\n\nUse `Lcobucci\\JWT\\Signer\\Key\\InMemory` instead of `Lcobucci\\JWT\\Signer\\Key\\LocalFileReference` to create the instances of your keys:\n\n```diff\n-use Lcobucci\\JWT\\Signer\\Key\\LocalFileReference;\n+use Lcobucci\\JWT\\Signer\\Key\\InMemory;\n\n-$key = LocalFileReference::file(__DIR__ . \u0027/public-key.pem\u0027);\n+$key = InMemory::file(__DIR__ . \u0027/public-key.pem\u0027);\n```",
  "id": "GHSA-7322-jrq4-x5hf",
  "modified": "2021-09-29T18:04:31Z",
  "published": "2021-09-29T17:09:40Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/lcobucci/jwt/security/advisories/GHSA-7322-jrq4-x5hf"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41106"
    },
    {
      "type": "WEB",
      "url": "https://github.com/lcobucci/jwt/commit/8175de5b841fbe3fd97d2d49b3fc15c4ecb39a73"
    },
    {
      "type": "WEB",
      "url": "https://github.com/lcobucci/jwt/commit/c45bb8b961a8e742d8f6b88ef5ff1bd5cca5d01c"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/lcobucci/jwt/CVE-2021-41106.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/lcobucci/jwt"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "File reference keys leads to incorrect hashes on HMAC algorithms"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.