Auth0 JWT vulnerabilities
4 Vulnerabilities announced Auth0’s JSON Web Token technology -
CVE-2022-23529
CVE-2022-23541
CVE-2022-23540
CVE-2022-23539
JWT is a technology that allows for quick & potentially independent authorization and protection of web service communications & information exchange.
Affected Products & Versions
Jsonwebtoken 8.5.1 and under
Vuln details
Unrestricted key type; insecure key retrieval function; insecure default algorithm; improper input validation (in the jwt.verify function)
Announced by Auth0 - December 21, 2022
auth0.com/docs...
National Vulnerability Database details published Dec 21/22 & updated a week later, 2022
nvd.nist.gov/v...
nvd.nist.gov/v...
nvd.nist.gov/v...
nvd.nist.gov/v...
CVSSv3
Unrestricted key type; NVD scores @ 9.8
insecure key retrieval function; NVD NVSS score @ 9.8
insecure default algorithm; NVD NVSS score @ 8.1
improper input validation (in the jwt.verify function) NVD NVSS @ 9.8
Github docs the vulnerabilities scores significantly less than NIST NVD,
Known Exploits
As of today, no known (by me) exploits exist specific to these CVE’s.
Solutions/Mitigations/Workarounds
Solutions
Auth0 suggests upgrade to 9.0.0 or higher (but read the individual vulnerability reports in the Auth0 article for more details)
No other mitigations or workarounds
Get Consulting: bit.ly/3R04Lsr
OCISO Knowledge Base: bit.ly/3kDGVHf
OCISO Social Media
Podcast: spoti.fi/3iuSwYa
Twitter: bit.ly/3EUkDIG
LinkedIn: bit.ly/3GIDQOY
Website: bit.ly/3gwN6uO
Facebook: bit.ly/3i9Wzsn
Sponsorship Request: If you are interested in Sponsoring Office of The CISO Videos Please Email sponsors@officeoftheciso.com
Topics Discussed:
JWT Vulnerabilities
Vulnerability Mitigations
Негізгі бет Auth0 JWT Vulnerabilities Announcement
Пікірлер