Vulnerabilities / JWT algorithm confusion

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Severity
High
CWE Name
JWT algorithm confusion
CWE ID
CWE-345
CVSS Score
10.0
Compliance
OWASP TOP10 -> A8
ISO27001 -> A.8.2, A.8.3, A.8.5, A.8.24, A.8.26
JWT algorithm confusion

The server uses public/private key signatures to protect the JWTs. But it also accepts JWTs signed with HMAC. By changing the signing algorithm in your JWTs to HMAC and using the HTTPS certificate as secret we created a JWT accepted by your server. If the JWT is used to control access to the application, an attacker could take advantage of this vulnerability to forge a token and impersonate other users or even elevate privileges.

How to fix

  • To fix this issue, you should only have public/private key algorithms in the list of allowed algorithms.