Vulnerability
|
Boolean verifyJsonWebToken(String github_jwt) { |
|
List jwt = github_jwt.tokenize('.') |
|
String data = jwt[0..1].join('.') |
|
String signature = jwt[-1] |
|
verifyRS256Base64Url(signature, data) |
|
} |
The code doesn't validate that the JWT header specifies "alg":"RS256".
Impact
Depending on the broader system, this could allow JWT forgery.
Internally this severity is low since JWT is only intended to interface with GitHub. External users should consider severity moderate.
Patches
Jervis patch will explicitly verify the algorithm in the header matches expectations and further verify the JWT structure.
Upgrade to Jervis 2.2.
Workarounds
External users should consider using an alternate JWT library or upgrade.
References
Vulnerability
jervis/src/main/groovy/net/gleske/jervis/tools/SecurityIO.groovy
Lines 244 to 249 in 157d2b6
The code doesn't validate that the JWT header specifies
"alg":"RS256".Impact
Depending on the broader system, this could allow JWT forgery.
Internally this severity is low since JWT is only intended to interface with GitHub. External users should consider severity moderate.
Patches
Jervis patch will explicitly verify the algorithm in the header matches expectations and further verify the JWT structure.
Upgrade to Jervis 2.2.
Workarounds
External users should consider using an alternate JWT library or upgrade.
References