Query PR
github/codeql-go#705
Language
GoLang
CVE(s) ID list
There are multiple detections with this query. I haven't alerted the maintainers yet but will do so soon. In the mean time, to meet the eligibility requirements, you may see CVE-2022-0664 found in gravitl/netmaker. A LGTM run of my query against a vulnerable version of this project can be found here.
CWE
CWE-321
Report
JWT tokens are used for authenticating and managing users throughout the application.
Since, the secret which is used to sign these tokens is unique, it is assumed in most cases that the token can't be forged. However, when a project exposes this secret publicly, these supposedly un-forgable tokens can now be easily faked. Since the authentication as well as access control is typically determined by the validity of the JWT token, an attacker can create a valid authentication token for any user and even gain access to other privileged parts of the application.
In this query, I, using global taint flow, detect all instances where a StringLiteral is used for signing the token.
Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc).
Blog post link
No response
Query PR
github/codeql-go#705
Language
GoLang
CVE(s) ID list
There are multiple detections with this query. I haven't alerted the maintainers yet but will do so soon. In the mean time, to meet the eligibility requirements, you may see CVE-2022-0664 found in gravitl/netmaker. A LGTM run of my query against a vulnerable version of this project can be found here.
CWE
CWE-321
Report
JWT tokens are used for authenticating and managing users throughout the application.
Since, the secret which is used to sign these tokens is unique, it is assumed in most cases that the token can't be forged. However, when a project exposes this secret publicly, these supposedly un-forgable tokens can now be easily faked. Since the authentication as well as access control is typically determined by the validity of the JWT token, an attacker can create a valid authentication token for any user and even gain access to other privileged parts of the application.
In this query, I, using global taint flow, detect all instances where a
StringLiteralis used for signing the token.Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc).
Blog post link
No response