CVE-2023-48223

CVSS 3.1 Score 5.9 of 10 (medium)

Details

Published Nov 20, 2023
Updated: Nov 29, 2023
CWE ID 20

Summary

CVE-2023-48223 is a vulnerability affecting the fast-jwt library, which provides fast JSON Web Token (JWT) implementation. Prior to version 3.3.2, fast-jwt failed to adequately prevent JWT algorithm confusion for all public key types, allowing an attacker to craft a malicious JWT token containing the HS256 algorithm, signed with the public RSA key of the victim application. This attack is successful only when the victim application utilizes a public key containing the `BEGIN RSA PUBLIC KEY` header. Applications using the RS256 algorithm, a public key with a `BEGIN RSA PUBLIC KEY` header, and not explicitly specifying an algorithm during the verify function call are susceptible to this algorithm confusion attack, enabling attackers to sign arbitrary payloads. Version 3.3.2 includes a patch for this vulnerability, and a workaround involves modifying line 29 of `blob/master/src/crypto.js` to include a regular expression.

Ligh bulbPrevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share