Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security issue in depndencies #485

Open
jaceksocha opened this issue Jul 11, 2023 · 3 comments
Open

Security issue in depndencies #485

jaceksocha opened this issue Jul 11, 2023 · 3 comments

Comments

@jaceksocha
Copy link

Hi!

I've found security issue reported in one of dependencies "cdbattags/lua-resty-jwt" (cdbattags/lua-resty-jwt#61)

Just to make sure: is "zmartzone/lua-resty-openidc" is also affected ?

Greetings

@bodewig
Copy link
Collaborator

bodewig commented Jul 11, 2023

The report doesn't say explicitly what it takes to exploit the vulnerability. Looking at the PR it seems lua-resty-jwt can be tricked to validate JWT using JWE validation skipping the signature verification, but I'm not really familiar with the library's internals and basically take some educated guesses.

Right now lua-resty-openidc doesn't support unsigned JWEs (see #440 ) and signatures are always checked, so if my understanding of the issue is correct, the attack wouldn't work here. But please take this with a very big grain of salt.

@nemmerich
Copy link

From a quick look into this library it seems to be affected by this issue. It is correct that the underlying issue is caused by a way to get JWTs to be validated as JWEs skipping the signature check, but this is internal to the lua-resty-jwt library. The caller does not need to support JWEs to be affected.

@bodewig
Copy link
Collaborator

bodewig commented Jul 12, 2023

thank you for having a second look

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants