noobaa-core icon indicating copy to clipboard operation
noobaa-core copied to clipboard

Published 20 hours ago verified publisher icon noobaa

JWT Vulnerability

Open guymguym opened this issue 7 years ago • 2 comments

Environment info

  • Version: 1.8
  • Deployment: NA
  • Customer: NA

Actual behavior

  1. https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/
  2. JWT allows the adversary to control the choice of algorithm the server uses to verify the token which can be used in various ways explained in this link.
  3. Our exposure is not critical because we use latest version of the library and we do not using asymmetric keys.

Expected behavior

  1. We should restrict our validation only to the default algorithm we use (HS256)

Steps to reproduce

  1. NA

Screenshots or Logs or other output that would be helpful

(If large, please upload as attachment)

guymguym avatar Jun 23 '17 08:06 guymguym