Summary
grassrootza/grassroot-platform before version 1.3.1 did not properly verify the signature of JSON Web Tokens when refreshing an existing JWT. This allows forging a valid JWT and can lead to authentication bypasses.
Product
grassrootza/grassroot-platform
Tested Version
Commit 6308bed5
Details
A JWT consists of three parts:
- header
- claims/payload
- signature
The three parts are base64 encoded and concatenated to form a string like this:
base64EncodedHeader.base64EncodedClaims.base64EncodedSignature
. In a client-server context the signature is created by the server and so a (malicious) client could not change a JWT without making signature validation fail!
grassrootza/grassroot-platform uses the parse method to verify the signature of a JWT when refreshing a JWT token.
The parse
method properly verifies the signature if it consists of the three parts.
But it will also verify a JWT that contains no signature at all!
So it will happily accept a token like this that could have been created by a malicious attacker:
base64EncodedHeader.base64EncodedClaims
The solution is to always use the parseClaimsJws
method when parsing signed JWTs!
(This vulnerability has been found using this CodeQL query)
Impact
Arbitrary JWT forging which may lead to authentication bypasses.
CVE
Github Advisories
Coordinated Disclosure Timeline
- 2021-04-15: Asked to open a Github security advisory.
- 2021-04-15: Invited to Github security advisory.
- 2021-04-16: Issue is patched.
- 2021-04-16: CVE is assigned.
- 2021-04-17: Advisory is published.
Credit
This issue was discovered and reported by @intrigus-lgtm.
Contact
You can contact the ISL at isl@intrigus.org
. Please include a reference to ISL-2021-004
in any communication regarding this issue.