Vulnerabilities / Using jwk parameter to verify JWTs
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
↓
Severity
High
CWE Name
Using jwk parameter to verify JWTs
CWE ID
CWE-345
CVSS Score
7.5
Compliance
OWASP TOP10 -> A8
ISO27001 -> A.8.2, A.8.3, A.8.5, A.8.24, A.8.26
ISO27001 -> A.8.2, A.8.3, A.8.5, A.8.24, A.8.26
The server is using the key received in the parameter jwk
on the JWT header to validate the signature. The jwk is a user controllable parameter which means anyone can change your JWTs contents. If the JWT is used to control access to the application, an attacker could take advantage of this vulnerability to forge a token and impersonate other users or even elevate privileges.
How to fix
-
To fix this issue, you should force the usage of a predefined public key.