nimble-platform/common before commit 3b96cb0 did not properly verify the signature of JSON Web Tokens. This allows forging a valid JWT and can lead to authentication bypasses.
A JWT consists of three parts:
The three parts are base64 encoded and concatenated to form a string like this:
base64EncodedHeader.base64EncodedClaims.base64EncodedSignature. In a client-server context the signature is created by the server and so a (malicious) client could not change a JWT without making signature validation fail!
nimble-platform/common uses the parse method to verify the signature of a JWT.
parse method properly verifies the signature if it consists of the three parts.
But it will also verify a JWT that contains no signature at all!
So it will happily accept a token like this that could have been created by a malicious attacker:
The solution is to always use the
parseClaimsJws method when parsing signed JWTs!
(This vulnerability has been found using this CodeQL query)
Arbitrary JWT forging which may lead to authentication bypasses.
- 2021-04-15: Asked to open a Github security advisory.
- 2021-05-19: Invited to Github security advisory.
- 2021-05-20: CVE is assigned.
- 2021-07-26: Issue is patched.
- 2021-07-26: Advisory is published.
This issue was discovered and reported by @intrigus-lgtm.
You can contact the ISL at
firstname.lastname@example.org. Please include a reference to
ISL-2021-003 in any communication regarding this issue.