Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1jNGNtLXI5ZmgtamdqOc4AA5ML
commonground-api-common unexploitable privilege escalation in JWT authentication middleware
Impact
This is a privilege escalation vulnerability. The impact is negligible and entirely theoretical.
A non-exploitable weakness was found in how the client-supplied JWTs are verified. Because an explicit allow-list
of known algorithms is used in the PyJWT library, user-supplied (invalid) algorithms are rejected.
If this was not the case, then the client JWTs could be tampered with, resulting in privilege escalation which
would allow the attacker to perform any operation as any client (impersonation) without leaving a trace of
the real user/client.
Patches
Will be fixed in 1.12.2
Workarounds
None needed. But be careful when updating PyJWT. Check that the used PyJWT has no algorithms specified with a name in "", "HS25", "HS2", "HS", "H", or that those algorithms are acceptable.
Details
The header and payload of JSON Web Tokens (JWTs) are cryptographically signed with an algorithm. A JWT has a header field alg that specifies the algorithm used in the signature.
The vng-api-common.middleware.AuthMiddleware uses PyJWT to check the validity of JWT and indicates it should be "HS256", otherwise an attacker could construct a token with a cryptographically weak token. It should indicate this with a list of acceptable algorithms ["HS256"], but instead the string "HS256" is passed to PyJWT. PyJWT does not check the type of the argument and checks if the alg string in the header exists in the acceptable algorithms value with the in operator. Any substring of "HS256" passes this in check. It is not exploitable because there is no such substring in de set of algorithms PyJWT supports.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1jNGNtLXI5ZmgtamdqOc4AA5ML
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: 10 months ago
Updated: 10 months ago
Identifiers: GHSA-c4cm-r9fh-jgj9
References:
- https://github.com/maykinmedia/commonground-api-common/security/advisories/GHSA-c4cm-r9fh-jgj9
- https://github.com/maykinmedia/commonground-api-common/commit/20d9345a865338777839e8f02c21cd9d6f5a2cae
- https://github.com/advisories/GHSA-c4cm-r9fh-jgj9
Blast Radius: 0.0
Affected Packages
pypi:vng-api-common-utrecht
Dependent packages: 0Dependent repositories: 1
Downloads: 71 last month
Affected Version Ranges: <= 1.3.2
No known fixed version
All affected versions: 1.3.2
pypi:vng-api-common
Dependent packages: 1Dependent repositories: 20
Downloads: 9,968 last month
Affected Version Ranges: <= 2.0.5
No known fixed version
All affected versions: 0.30.0, 0.31.0, 0.31.1, 0.31.2, 0.32.0, 0.32.1, 0.32.2, 0.32.3, 0.33.0, 0.34.0, 0.34.1, 0.35.0, 0.35.1, 0.35.2, 0.35.3, 0.35.4, 0.35.5, 0.35.6, 0.35.7, 0.35.8, 0.35.9, 0.35.10, 0.36.0, 0.36.1, 0.37.0, 0.37.1, 0.37.2, 0.37.3, 0.37.4, 0.38.0, 0.38.1, 0.38.2, 0.39.0, 0.39.1, 0.40.0, 0.40.1, 0.41.0, 0.41.1, 0.41.2, 0.42.0, 0.42.1, 0.43.0, 0.43.1, 0.43.2, 0.43.3, 0.44.0, 0.45.0, 0.46.0, 0.46.1, 0.46.2, 0.47.0, 0.47.1, 0.47.2, 0.48.0, 0.48.1, 0.49.0, 0.49.1, 0.49.2, 0.49.3, 0.50.0, 0.50.1, 0.50.2, 0.50.3, 0.50.4, 0.51.0, 0.51.1, 0.51.2, 0.52.0, 0.52.1, 0.52.2, 0.52.3, 0.52.4, 0.52.5, 0.52.6, 0.53.0, 0.54.0, 0.55.0, 0.55.1, 0.56.0, 0.56.1, 0.57.0, 0.57.1, 0.57.2, 0.57.3, 0.58.0, 0.58.1, 0.59.0, 0.59.1, 0.59.2, 0.59.3, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.5, 1.0.6, 1.0.7, 1.0.8, 1.0.9, 1.0.11, 1.0.12, 1.0.13, 1.0.14, 1.0.15, 1.0.16, 1.0.17, 1.0.18, 1.0.19, 1.0.20, 1.0.21, 1.0.22, 1.0.23, 1.0.24, 1.0.25, 1.0.26, 1.0.27, 1.0.28, 1.0.29, 1.0.30, 1.0.31, 1.0.32, 1.0.33, 1.0.34, 1.0.35, 1.0.36, 1.0.37, 1.0.38, 1.0.39, 1.0.40, 1.0.41, 1.0.42, 1.0.43, 1.0.44, 1.0.45, 1.0.46, 1.0.47, 1.0.48, 1.0.49, 1.0.50, 1.0.51, 1.0.52, 1.0.53, 1.0.54, 1.0.55, 1.0.56, 1.0.57, 1.0.58, 1.0.59, 1.0.60, 1.0.61, 1.0.62, 1.0.63, 1.0.64, 1.0.65, 1.0.66, 1.0.67, 1.0.68, 1.0.69, 1.1.0, 1.2.0, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.3.5, 1.3.6, 1.3.7, 1.3.8, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.4.5, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.5.5, 1.5.6, 1.5.7, 1.5.8, 1.5.9, 1.5.10, 1.6.0, 1.6.1, 1.6.2, 1.6.3, 1.6.4, 1.7.0, 1.7.1, 1.7.2, 1.7.3, 1.7.4, 1.7.5, 1.7.6, 1.7.7, 1.7.8, 1.8.0, 1.9.0, 1.11.0, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5
pypi:commonground-api-common
Dependent packages: 2Dependent repositories: 1
Downloads: 5,834 last month
Affected Version Ranges: <= 1.12.1
No known fixed version
All affected versions: 1.9.0, 1.10.0, 1.10.1, 1.10.2, 1.11.0, 1.12.0, 1.12.1