{ "schema_version": "1.4.0", "id": "GHSA-8cf7-32gw-wr33", "modified": "2024-06-24T21:23:38Z", "published": "2022-12-22T03:32:22Z", "aliases": [ "CVE-2022-23539" ], "summary": "jsonwebtoken unrestricted key type could lead to legacy keys usage ", "details": "# Overview\n\nVersions `<=8.5.1` of `jsonwebtoken` library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm. \n\n# Am I affected?\n\nYou are affected if you are using an algorithm and a key type other than the combinations mentioned below\n\n| Key type | algorithm |\n|----------|------------------------------------------|\n| ec | ES256, ES384, ES512 |\n| rsa | RS256, RS384, RS512, PS256, PS384, PS512 |\n| rsa-pss | PS256, PS384, PS512 |\n\nAnd for Elliptic Curve algorithms:\n\n| `alg` | Curve |\n|-------|------------|\n| ES256 | prime256v1 |\n| ES384 | secp384r1 |\n| ES512 | secp521r1 |\n\n# How do I fix it?\n\nUpdate to version 9.0.0. This version validates for asymmetric key type and algorithm combinations. Please refer to the above mentioned algorithm / key type combinations for the valid secure configuration. After updating to version 9.0.0, If you still intend to continue with signing or verifying tokens using invalid key type/algorithm value combinations, you’ll need to set the `allowInvalidAsymmetricKeyTypes` option to `true` in the `sign()` and/or `verify()` functions.\n\n# Will the fix impact my users?\n\nThere will be no impact, if you update to version 9.0.0 and you already use a valid secure combination of key type and algorithm. Otherwise, use the `allowInvalidAsymmetricKeyTypes` option to `true` in the `sign()` and `verify()` functions to continue usage of invalid key type/algorithm combination in 9.0.0 for legacy compatibility. \n\n", "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N" } ], "affected": [ { "package": { "ecosystem": "npm", "name": "jsonwebtoken" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "9.0.0" } ] } ], "database_specific": { "last_known_affected_version_range": "<= 8.5.1" } } ], "references": [ { "type": "WEB", "url": "https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-8cf7-32gw-wr33" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23539" }, { "type": "WEB", "url": "https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3" }, { "type": "PACKAGE", "url": "https://github.com/auth0/node-jsonwebtoken" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20240621-0007" } ], "database_specific": { "cwe_ids": [ "CWE-327" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2022-12-22T03:32:22Z", "nvd_published_at": "2022-12-23T00:15:00Z" } }