Description

The scanner detected a missing validation of the 'jku' parameter in a JSON Web Token's header. This parameter specifies the location of the JSON web key set (JWKS) used to verify the token's signature. Without proper validation, an attacker can supply a JWKS, potentially allowing the creation of forged JWTs with arbitrary payloads. Additionally they may be able to trigger a blind SSRF attack.

Remediation

In order to fix this vulnerability, you need to implement a whitelist of URLs that are allowed to host a JWKS file, specified in the 'jku' header parameter. To make sure it is resilient to validation bypasses, please make sure to validate the full URL and disable HTTP redirection for the HTTP library responsible for the token retrieval.

References

JSON Web Token attacks and vulnerabilities

Related Vulnerabilities

Oracle Weblogic T3 XXE (CVE-2019-2647)

Apache Solr Log4Shell RCE

Ubiquiti Unifi Log4Shell RCE

Spring Security Authentication Bypass

ownCloud Improper Authentication Vulnerability (CVE-2020-10254)

Severity

High

Classification

CWE-287 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:L/SI:L/SA:L

Tags

Acumonitor SSRF