logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

GHSA-c4cm-r9fh-jgj9 commonground-api-common

Package

Manager: pip
Name: commonground-api-common
Vulnerable Version: >=0 <=1.12.1

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

commonground-api-common unexploitable privilege escalation in JWT authentication middleware ### Impact This is a privilege escalation vulnerability. The impact is negligible and entirely theoretical. A non-exploitable weakness was found in how the client-supplied JWTs are verified. Because an explicit allow-list of known algorithms is used in the PyJWT library, user-supplied (invalid) algorithms are rejected. If this was not the case, then the client JWTs could be tampered with, resulting in privilege escalation which would allow the attacker to perform any operation as any client (impersonation) without leaving a trace of the real user/client. ### Patches Will be fixed in 1.12.2 ### Workarounds None needed. But be careful when updating PyJWT. Check that the used PyJWT has no algorithms specified with a name in "", "HS25", "HS2", "HS", "H", or that those algorithms are acceptable. ### Details The header and payload of JSON Web Tokens (JWTs) are cryptographically signed with an algorithm. A JWT has a header field `alg` that specifies the algorithm used in the signature. The `vng-api-common.middleware.AuthMiddleware` uses PyJWT to check the validity of JWT and indicates it should be "HS256", otherwise an attacker could construct a token with a cryptographically weak token. It should indicate this with a list of acceptable algorithms `["HS256"]`, but instead the string `"HS256"` is passed to PyJWT. PyJWT does not check the type of the argument and checks if the `alg` string in the header exists in the acceptable algorithms value with the `in` operator. Any substring of `"HS256"` passes this `in` check. It is not exploitable because there is no such substring in de set of algorithms PyJWT supports.

Metadata

Created: 2024-02-09T17:04:47Z
Modified: 2024-02-09T17:04:47Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-c4cm-r9fh-jgj9/GHSA-c4cm-r9fh-jgj9.json
CWE IDs: []
Alternative ID: N/A
Finding: F204
Auto approve: 1