Summary

fxbin/bubble-fireworks before commit 67b2ef4 did not properly verify the signature of JSON Web Tokens. This allows forging a valid JWT.

Product

fxbin/bubble-fireworks

Tested Version

Commit 9bf53d96

Details

A JWT consists of three parts:

  • header
  • claims/payload
  • signature The three parts are base64 encoded and concatenated to form a string like this: base64EncodedHeader.base64EncodedClaims.base64EncodedSignature. In a client-server context the signature is created by the server and so a (malicious) client could not change a JWT without making signature validation fail!

fxbin/bubble-fireworks uses the parse method on two occasions to verify the signature of a JWT. The parse method properly verifies the signature if it consists of the three parts.

But it will also verify a JWT that contains no signature at all! So it will happily accept a token like this that could have been created by a malicious attacker: base64EncodedHeader.base64EncodedClaims

The solution is to always use the parseClaimsJws method when parsing signed JWTs!

(This vulnerability has been found using this CodeQL query)

Impact

Arbitrary JWT forging which may lead to authentication bypasses.

CVE

CVE-2021-29500

Github Advisories

GHSA-hj36-84cp-29pr

Coordinated Disclosure Timeline

  • 2021-04-17: Asked to open a Github security advisory.
  • 2021-04-23: Invited to Github security advisory.
  • 2021-05-06: Issue is patched.
  • 2021-05-10: CVE is assigned.
  • 2021-05-21: Advisory is published.

Credit

This issue was discovered and reported by @intrigus-lgtm.

Contact

You can contact the ISL at isl@intrigus.org. Please include a reference to ISL-2021-005 in any communication regarding this issue.