Description

The scanner detected a missing validation of the 'x5u' parameter in the header of a JSON Web Token (JWT). This parameter specifies the location of the X.509 certificate chain used to verify the token's signature. Without proper validation, an attacker can supply a malicious certificate, potentially allowing the creation of forged JWTs with arbitrary payloads. Additionally they may be able to trigger a blind SSRF attack.

Remediation

In order to fix this vulnerability, you need to implement a whitelist of URLs that are allowed to host a x509 cert file, specified in the 'x5u' header parameter. To make sure it is resilient to validation bypasses, please make sure to validate the full URL and disable HTTP redirection for the HTTP library responsible for the token retrieval.

References

Fun With JWT X5u

Related Vulnerabilities

Cross-site Scripting via Remote File Inclusion

WordPress Plugin OAuth client Single Sign On for WordPress (OAuth 2.0 SSO) Security Bypass (3.0.3)

Ubiquiti Unifi Log4Shell RCE

Ruby Improper Authentication Vulnerability (CVE-2007-5162)

Oracle Reports rwservlet vulnerabilities

Severity

High

Classification

CWE-287 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:L/SI:L/SA:L

Tags

Acumonitor SSRF