lua-resty-jwt icon indicating copy to clipboard operation
lua-resty-jwt copied to clipboard
verified publisher icon cdbattags

Authentication Bypass

Open nemmerich opened this issue 2 years ago • 9 comments

On the 13th of June 2022 we reported an authentication bypass in this library to @cdbattags. Due to time constraints on their side we privately provided a patch that should fix the issue on the 29th of July 2022. Since then we inquired about the patch multiple times. The maintainer confirmed receipt of the patch but it was never applied.

As this vulnerability was now reported a year ago, this GitHub issue is intended to warn users of this library about the authentication bypass.

We hope the patch will be implemented in the near future and kindly ask the maintainer to create a GitHub Security Advisory afterwards (https://docs.github.com/en/code-security/security-advisories/repository-security-advisories/about-repository-security-advisories.

On behalf of ERNW

nemmerich avatar Jun 13 '23 08:06 nemmerich

@nemmerich Could you please provide more details on the issue? Steps to reproduce, etc? Thanks in advance and Best Regards,

wisienka91 avatar Jul 05 '23 12:07 wisienka91

Can you please make the fix public? I do not see how it would be possible given that verification of the JWT (including claims) is actually performed, see:

https://github.com/cdbattags/lua-resty-jwt/blob/master/lib/resty/jwt.lua#L935

I will take a deeper look at the function(s). So far I have found nothing. I hope you will be able to give us the fix to the vulnerability, especially after a whole year.

odiferousmint avatar Jul 10 '23 00:07 odiferousmint

The fix is provided in PR https://github.com/cdbattags/lua-resty-jwt/pull/62.

nemmerich avatar Jul 10 '23 07:07 nemmerich

Thank you, it is much appreciated!

odiferousmint avatar Jul 10 '23 09:07 odiferousmint

Thanks a lot!

wisienka91 avatar Jul 10 '23 09:07 wisienka91

For those who want to read more about this issue can do so here: https://insinuator.net/2023/10/lua-resty-jwt-authentication-bypass/

nemmerich avatar Oct 10 '23 15:10 nemmerich

I see that a fix was merged to address this but there was no tag created to bump the version of this library. The corresponding lib page on luarocks also shows the latest version as only 0.2.3. Can someone please release version 0.2.4? @cdbattags

weiwuprojects avatar Jul 08 '24 21:07 weiwuprojects

@weiwuprojects I noticed the same thing, but also that https://github.com/api7/lua-resty-jwt/pull/8 has the fix and is in luarocks as https://luarocks.org/modules/membphis/api7-lua-resty-jwt. I'm not connected with either. The patches applied over there look like the patches proposed here.

bewinsnw avatar Jul 09 '24 14:07 bewinsnw

Thanks for the input @bewinsnw. I wound up just installing from source at the fix's revision: git clone --recurse-submodules https://github.com/cdbattags/lua-resty-jwt && cd lua-resty-jwt && git reset --hard d1558e2 && luarocks make lua-resty-jwt-dev-0.rockspec

weiwuprojects avatar Jul 09 '24 20:07 weiwuprojects