GHSA-6g6m-m6h5-w9gf

Suggest an improvement
Source
https://github.com/advisories/GHSA-6g6m-m6h5-w9gf
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-6g6m-m6h5-w9gf/GHSA-6g6m-m6h5-w9gf.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-6g6m-m6h5-w9gf
Aliases
Related
Published
2020-06-30T16:05:24Z
Modified
2023-11-08T04:02:28.505668Z
Severity
  • 7.7 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N CVSS Calculator
Summary
Authorization bypass in express-jwt
Details

Overview

Versions before and including 5.3.3, we are not enforcing the algorithms entry to be specified in the configuration. When algorithms is not specified in the configuration, with the combination of jwks-rsa, it may lead to authorization bypass.

Am I affected?

You are affected by this vulnerability if all of the following conditions apply:

You are using express-jwt AND You do not have algorithms configured in your express-jwt configuration. AND You are using libraries such as jwks-rsa as the secret.

How to fix that?

Specify algorithms in the express-jwt configuration. The following is an example of a proper configuration

const checkJwt = jwt({
  secret: jwksRsa.expressJwtSecret({
    rateLimit: true,
    jwksRequestsPerMinute: 5,
    jwksUri: `https://${DOMAIN}/.well-known/jwks.json`
  }),
  // Validate the audience and the issuer.
  audience: process.env.AUDIENCE,
  issuer: `https://${DOMAIN}/`,
  // restrict allowed algorithms
  algorithms: ['RS256']
});

Will this update impact my users?

The fix provided in patch will not affect your users if you specified the algorithms allowed. The patch now makes algorithms a required configuration.

Credit

IST Group

Database specific 
{
    "github_reviewed_at": "2020-06-30T16:04:48Z",
    "cwe_ids": [
        "CWE-285",
        "CWE-863"
    ],
    "nvd_published_at": "2020-06-30T16:15:00Z",
    "severity": "HIGH",
    "github_reviewed": true
}
References

Affected packages

npm / express-jwt

Package

Name
express-jwt
View open source insights on deps.dev
Purl
pkg:npm/express-jwt

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.0.0

Database specific 

{
    "last_known_affected_version_range": "<= 5.3.3"
}