CVE-2022-23539 - OpenCVE

Vendors	Products
Auth0	Jsonwebtoken

Link	Resource
https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3	Patch Third Party Advisory
https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-8cf7-32gw-wr33	Third Party Advisory
https://security.netapp.com/advisory/ntap-20240621-0007/

{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2022-23539", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2022-01-19T21:23:53.795Z", "datePublished": "2022-12-22T23:20:47.855Z", "dateUpdated": "2024-06-21T19:08:20"}, "containers": {"cna": {"title": "jsonwebtoken unrestricted key type could lead to legacy keys usage ", "problemTypes": [{"descriptions": [{"cweId": "CWE-327", "lang": "en", "description": "CWE-327: Use of a Broken or Risky Cryptographic Algorithm", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-8cf7-32gw-wr33", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-8cf7-32gw-wr33"}, {"name": "https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3", "tags": ["x_refsource_MISC"], "url": "https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3"}, {"url": "https://security.netapp.com/advisory/ntap-20240621-0007/"}], "affected": [{"vendor": "auth0", "product": "node-jsonwebtoken", "versions": [{"version": "<= 8.5.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2022-12-22T23:20:47.855Z"}, "descriptions": [{"lang": "en", "value": "Versions `<=8.5.1` of `jsonwebtoken` library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm. You are affected if you are using an algorithm and a key type other than a combination listed in the GitHub Security Advisory as unaffected. This issue has been fixed, please update to version 9.0.0. This version validates for asymmetric key type and algorithm combinations. Please refer to the above mentioned algorithm / key type combinations for the valid secure configuration. After updating to version 9.0.0, if you still intend to continue with signing or verifying tokens using invalid key type/algorithm value combinations, you\u2019ll need to set the `allowInvalidAsymmetricKeyTypes` option to `true` in the `sign()` and/or `verify()` functions."}], "source": {"advisory": "GHSA-8cf7-32gw-wr33", "discovery": "UNKNOWN"}}}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:auth0:jsonwebtoken:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "7E5DD3C1-F5DD-4BFD-BCA3-561BC167CB35", "versionEndIncluding": "8.5.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Versions `<=8.5.1` of `jsonwebtoken` library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm. You are affected if you are using an algorithm and a key type other than a combination listed in the GitHub Security Advisory as unaffected. This issue has been fixed, please update to version 9.0.0. This version validates for asymmetric key type and algorithm combinations. Please refer to the above mentioned algorithm / key type combinations for the valid secure configuration. After updating to version 9.0.0, if you still intend to continue with signing or verifying tokens using invalid key type/algorithm value combinations, you\u2019ll need to set the `allowInvalidAsymmetricKeyTypes` option to `true` in the `sign()` and/or `verify()` functions."}, {"lang": "es", "value": "Las versiones `<=8.5.1` de la librer\u00eda `jsonwebtoken` podr\u00edan estar mal configuradas para que se utilicen tipos de claves heredadas e inseguras para la verificaci\u00f3n de firmas. Por ejemplo, las claves DSA podr\u00edan usarse con el algoritmo RS256. Usted se ver\u00e1 afectado si utiliza un algoritmo y un tipo de clave que no sea una combinaci\u00f3n que figura en GitHub Security Advisory como no afectada. Este problema se ha solucionado; actualice a la versi\u00f3n 9.0.0. Esta versi\u00f3n valida para combinaciones de algoritmos y tipos de claves asim\u00e9tricas. Consulte las combinaciones de algorithm / key type mencionadas anteriormente para conocer la configuraci\u00f3n segura v\u00e1lida. Despu\u00e9s de actualizar a la versi\u00f3n 9.0.0, si a\u00fan tiene la intenci\u00f3n de continuar firmando o verificando tokens utilizando combinaciones de key type/algorithm no v\u00e1lidas, deber\u00e1 configurar la opci\u00f3n `allowInvalidAmetricKeyTypes` en `true` en `sign()`. y/o funciones `verify()`."}], "id": "CVE-2022-23539", "lastModified": "2024-06-21T19:15:22.683", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 4.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2022-12-23T00:15:12.347", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-8cf7-32gw-wr33"}, {"source": "security-advisories@github.com", "url": "https://security.netapp.com/advisory/ntap-20240621-0007/"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-327"}], "source": "security-advisories@github.com", "type": "Primary"}]}

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

JSON object

JSON object

JSON object