Summary

Acunetix 360 identified a Private Json Web Key Set Disclosure.

Impact

Disclosed JSON Web Key Set (JWKS) vulnerability introduces severe risks to the affected system. Potential unauthorized access and impersonation of users due to private key exposure can compromise data integrity, damage the systems reputation, and lead to regulatory non-compliance. Even with only public key exposure, algorithm and key confusion attacks pose additional threats to authentication and authorization mechanisms.

Remediation

When making your JWK Set public, ensure that private key components are excluded. If the JWK Set only contains public key components, its exposure does not pose a security threat on its own. In fact, utilizing a JWK Set appropriately can be considered a best practice for non-security-related reasons.

External References

Severity

Critical

Classification

CAPEC-118 CWE-200 ISO27001-A.18.1.4 WASC-13