CVE-2021-41106

File reference keys leads to incorrect hashes on HMAC algorithms

Severity Score

3.3

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

JWT is a library to work with JSON Web Token and JSON Web Signature. Prior to versions 3.4.6, 4.0.4, and 4.1.5, users of HMAC-based algorithms (HS256, HS384, and HS512) combined with `Lcobucci\JWT\Signer\Key\LocalFileReference` as key are having their tokens issued/validated using the file path as hashing key - instead of the contents. The HMAC hashing functions take any string as input and, since users can issue and validate tokens, users are lead to believe that everything works properly. Versions 3.4.6, 4.0.4, and 4.1.5 have been patched to always load the file contents, deprecated the `Lcobucci\JWT\Signer\Key\LocalFileReference`, and suggest `Lcobucci\JWT\Signer\Key\InMemory` as the alternative. As a workaround, use `Lcobucci\JWT\Signer\Key\InMemory` instead of `Lcobucci\JWT\Signer\Key\LocalFileReference` to create the instances of one's keys.

JWT es una biblioteca para trabajar con JSON Web Token y JSON Web Signature. Antes de las versiones 3.4.6, 4.0.4 y 4.1.5, los usuarios de los algoritmos basados en HMAC (HS256, HS384 y HS512) combinados con "Lcobucci\JWT\Signer\Key\LocalFileReference" como clave están emitiendo/validando sus tokens usando la ruta del archivo como clave de hashing - en lugar del contenido. Las funciones de hashing HMAC aceptan cualquier cadena como entrada y, dado que los usuarios pueden emitir y comprobar tokens, los usuarios son llevados a creer que todo funciona correctamente. Las versiones 3.4.6, 4.0.4 y 4.1.5 han sido parcheadas para cargar siempre el contenido del archivo, desaprobando la función "Lcobucci\JWT\Signer\Key\LocalFileReference", y sugiriendo "Lcobucci\JWT\Signer\Key\InMemory" como alternativa. Como solución, use "Lcobucci\JWT\SignerKey\InMemory" en lugar de "Lcobucci\JWT\SignerKey\LocalFileReference" para crear las instancias de las claves propias

*Credits: N/A

CVSS Scores

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

Attack Vector

Local

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2021-09-15 CVE Reserved
2021-09-28 CVE Published
2023-04-21 EPSS Updated
2024-08-04 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-345: Insufficient Verification of Data Authenticity

CAPEC

References (3)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC
https://github.com/lcobucci/jwt/commit/8175de5b841fbe3fd97d2d49b3fc15c4ecb39a73	2021-10-07
https://github.com/lcobucci/jwt/commit/c45bb8b961a8e742d8f6b88ef5ff1bd5cca5d01c	2021-10-07
https://github.com/lcobucci/jwt/security/advisories/GHSA-7322-jrq4-x5hf	2021-10-07

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Jwt Project Search vendor "Jwt Project"		Jwt Search vendor "Jwt Project" for product "Jwt"				>= 3.4.0 < 3.4.6 Search vendor "Jwt Project" for product "Jwt" and version " >= 3.4.0 < 3.4.6"		-		Affected
Jwt Project Search vendor "Jwt Project"		Jwt Search vendor "Jwt Project" for product "Jwt"				>= 4.0.0 < 4.0.4 Search vendor "Jwt Project" for product "Jwt" and version " >= 4.0.0 < 4.0.4"		-		Affected
Jwt Project Search vendor "Jwt Project"		Jwt Search vendor "Jwt Project" for product "Jwt"				>= 4.1.0 < 4.1.5 Search vendor "Jwt Project" for product "Jwt" and version " >= 4.1.0 < 4.1.5"		-		Affected