In the widely-used open-source project, JavaScript library JsonWebToken researchers from Palo Alto Networks unit 42 found a new high-severity vulnerability – CVE-2022-23529.
Palo Alto Networks released a security advisory on Monday highlighting how the weakness could be used by an attacker to execute code remotely on a server that was verifying a maliciously constructed JSON web token (JWT) request.
The JSON web token JavaScript module, designed and maintained by Okta’s Auth0, enables users to decode, validate, and create JSON web tokens as a way of securely communicating information among two entities enabling authorization and authentication. The npm software registry receives more than 10 million downloads per week and is used in more than 22,000 projects.
Therefore, the capability of running malicious code on a server could violate confidentiality and integrity guarantees, enabling a bad actor to alter any files on the host and carry out any operation of its choice using a contaminated private key. However, Unit 42 cautions that to exploit it, malicious actors would need to first breach the secret management procedure with an app and a JsonWebToken server, dropping the severity level to 7.6/10.
This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents
Read the original article: