Description

The scanner detected missing validation of the jwk parameter in the header of a JSON Web Token (JWT). This parameter embeds a JSON Web Key (JWK) used to verify the token's signature. Without proper validation, an attacker can supply a malicious JWK, potentially allowing the creation of forged JWTs with arbitrary payloads. Attackers might be able to tamper with the values inside the JWT token payload and escalate privileges, impersonate users or trigger unintended application states that were meant to be prevented by the use of a tamper-proof token solution.

Remediation

To fix this vulnerability, disable support for the 'jwk' header parameter unless explicitly required. If support is necessary, implement strict validation to ensure the supplied JWK matches a trusted key source. The server-side code responsible for checking the JWT token should be audited and fixed in order to allow for the proper verification of the provided signature.

References

JWT (JSON Web Token) (in)security

Related Vulnerabilities

WordPress Plugin iThemes Security (formerly Better WP Security) Security Bypass (5.3.5)

WordPress Plugin The Plus Addons for Elementor Security Bypass (4.1.10)

WordPress Plugin Mingle Forum SQL Injection and Security Bypass Vulnerabilities (1.0.26)

WordPress Plugin Simple 301 Redirects by BetterLinks Multiple Security Bypass Vulnerabilities (2.0.3)

Drupal Core 7.x Security Bypass (7.0 - 7.2)

Severity

High

Classification

CWE-287 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:L/SI:L/SA:L

Tags

Authentication Bypass Configuration