[Japanese]

JVNDB-2017-007582

jwt-scala fails to verify token signatures

Overview

jwt-scala contains a vulnerability where it fails to verify token signatures correctly.

jwt-scala is a Scala library to handle JSON Web Token (JWT). jwt-scala contains a vulnerability where it fails to verify token signatures correctly due to improper processing of JWT headers.

Toshiharu Sugiyama of Recruit Technologies Co.,Ltd. RED TEAM reported this vulnerability to the developer and JPCERT/CC and directly coordinated with the developer. JPCERT/CC published this advisory as the developer agreed with the publication on JVN.
CVSS Severity (What is CVSS?)

Base Metrics: 5.0 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Low
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: None

CVSS V3 Severity:
Base Metrics: 5.3 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None
Affected Products


jwt-scala project
  • jwt-scala 1.2.2 and earlier

Impact

Specially crafted tokens may be verified successfully, whereas the verification should be failed.
Solution

[Use the Latest Source Code]
The source code patch is applied on the github repository on September 11, 2017.

applied
https://github.com/reallylabs/jwt-scala/commit/093a9891471608623c715abd08ab0c237489b05a

[Apply a Workaround]
Check that alg field value in the JWT header is appropriate.
Vendor Information

jwt-scala project
CWE (What is CWE?)

  1. Improper Authentication(CWE-287) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2017-10862
References

  1. JVN : JVNVU#90916766
Revision History

[2017/09/26]
  Web page was published