You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This doesn't seem to be exploitable right now because the current implementation
of OpenSSL::HMAC.digest expects a string as the key, so if rsa_public is an
OpenSSL::PKey::RSA object, JWT.decode will raise an error. But it would be
better not to depend on this OpenSSL::HMAC.digest behavior
Although the behavior mentioned holds for MRI, JRuby behaves differently and is vulnerable (i.e. you get a successful verification without any errors raised).
@victorhazbun this was fixed in 2.0 by requiring algorithm to be passed in as a parameter and from a quick glance at the current code it looks like you still need algorithms passed in so this should be fine
Algorithm became a required param for verifying signature in #184 to address https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/
The PR mentioned:
Although the behavior mentioned holds for MRI, JRuby behaves differently and is vulnerable (i.e. you get a successful verification without any errors raised).
Out of caution, I'd recommend marking the old versions as vulnerable with a note clarifying that only JRuby is affected here: https://github.com/rubysec/ruby-advisory-db
That way people can get notified by tooling such as bundler audit of the potential need to upgrade
The text was updated successfully, but these errors were encountered: