Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Authentication Bypass #61

Open
nemmerich opened this issue Jun 13, 2023 · 9 comments
Open

Authentication Bypass #61

nemmerich opened this issue Jun 13, 2023 · 9 comments

Comments

@nemmerich
Copy link

On the 13th of June 2022 we reported an authentication bypass in this library to @cdbattags.
Due to time constraints on their side we privately provided a patch that should fix the issue on the 29th of July 2022.
Since then we inquired about the patch multiple times. The maintainer confirmed receipt of the patch but it was never applied.

As this vulnerability was now reported a year ago, this GitHub issue is intended to warn users of this library about the authentication bypass.

We hope the patch will be implemented in the near future and kindly ask the maintainer to create a GitHub Security Advisory afterwards (https://docs.github.com/en/code-security/security-advisories/repository-security-advisories/about-repository-security-advisories.

On behalf of ERNW
@wisienka91
Copy link

@nemmerich Could you please provide more details on the issue? Steps to reproduce, etc?
Thanks in advance and Best Regards,

@odiferousmint
Copy link

odiferousmint commented Jul 10, 2023
edited
Loading

Can you please make the fix public? I do not see how it would be possible given that verification of the JWT (including claims) is actually performed, see:

https://github.com/cdbattags/lua-resty-jwt/blob/master/lib/resty/jwt.lua#L935

I will take a deeper look at the function(s). So far I have found nothing. I hope you will be able to give us the fix to the vulnerability, especially after a whole year.

@nemmerich nemmerich mentioned this issue Jul 10, 2023
Merged
@nemmerich
Copy link
Author

The fix is provided in PR #62.

@odiferousmint
Copy link

Thank you, it is much appreciated!

@wisienka91
Copy link

Thanks a lot!

@shreemaan-abhishek shreemaan-abhishek mentioned this issue Jul 10, 2023
Closed
@jaceksocha jaceksocha mentioned this issue Jul 11, 2023
Open
@nemmerich
Copy link
Author

For those who want to read more about this issue can do so here: https://insinuator.net/2023/10/lua-resty-jwt-authentication-bypass/

@weiwuprojects
Copy link

I see that a fix was merged to address this but there was no tag created to bump the version of this library. The corresponding lib page on luarocks also shows the latest version as only 0.2.3. Can someone please release version 0.2.4?
@cdbattags

@bewinsnw
Copy link

bewinsnw commented Jul 9, 2024

@weiwuprojects I noticed the same thing, but also that api7/lua-resty-jwt#8 has the fix and is in luarocks as https://luarocks.org/modules/membphis/api7-lua-resty-jwt. I'm not connected with either. The patches applied over there look like the patches proposed here.

@weiwuprojects
Copy link

Thanks for the input @bewinsnw. I wound up just installing from source at the fix's revision: git clone --recurse-submodules https://github.com/cdbattags/lua-resty-jwt && cd lua-resty-jwt && git reset --hard d1558e2 && luarocks make lua-resty-jwt-dev-0.rockspec

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@wisienka91 @weiwuprojects @odiferousmint @nemmerich @bewinsnw