lua-resty-openidc icon indicating copy to clipboard operation
lua-resty-openidc copied to clipboard

Published 20 hours ago verified publisher icon zmartzone

Security issue in depndencies

Open jaceksocha opened this issue 2 years ago • 3 comments

Hi!

I've found security issue reported in one of dependencies "cdbattags/lua-resty-jwt" (https://github.com/cdbattags/lua-resty-jwt/issues/61)

Just to make sure: is "zmartzone/lua-resty-openidc" is also affected ?

Greetings

jaceksocha avatar Jul 11 '23 06:07 jaceksocha

The report doesn't say explicitly what it takes to exploit the vulnerability. Looking at the PR it seems lua-resty-jwt can be tricked to validate JWT using JWE validation skipping the signature verification, but I'm not really familiar with the library's internals and basically take some educated guesses.

Right now lua-resty-openidc doesn't support unsigned JWEs (see #440 ) and signatures are always checked, so if my understanding of the issue is correct, the attack wouldn't work here. But please take this with a very big grain of salt.

bodewig avatar Jul 11 '23 19:07 bodewig

From a quick look into this library it seems to be affected by this issue. It is correct that the underlying issue is caused by a way to get JWTs to be validated as JWEs skipping the signature check, but this is internal to the lua-resty-jwt library. The caller does not need to support JWEs to be affected.

nemmerich avatar Jul 12 '23 06:07 nemmerich

thank you for having a second look

bodewig avatar Jul 12 '23 17:07 bodewig