Published:2017/09/25  Last Updated:2017/09/25

JVNVU#90916766
jwt-scala fails to verify token signatures

Overview

jwt-scala contains a vulnerability where it fails to verify token signatures correctly.

Products Affected

  • jwt-scala 1.2.2 and earlier

Description

jwt-scala is a Scala library to handle JSON Web Token (JWT).  jwt-scala contains a vulnerability where it fails to verify token signatures correctly due to improper processing of JWT headers.

Impact

Specially crafted tokens may be verified successfully, whereas the verification should be failed.

Solution

Use the Latest Source Code
The source code patch is applied on the github repository on September 11, 2017.

Apply a Workaround
Check that alg field value in the JWT header is appropriate.

Vendor Status

Vendor Link
reallyl IO jwt-scala

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Base Score: 5.3
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)
CVSS v2 AV:N/AC:L/Au:N/C:N/I:P/A:N
Base Score: 5.0
Access Vector(AV) Local (L) Adjacent Network (A) Network (N)
Access Complexity(AC) High (H) Medium (M) Low (L)
Authentication(Au) Multiple (M) Single (S) None (N)
Confidentiality Impact(C) None (N) Partial (P) Complete (C)
Integrity Impact(I) None (N) Partial (P) Complete (C)
Availability Impact(A) None (N) Partial (P) Complete (C)

Credit

Toshiharu Sugiyama of Recruit Technologies Co.,Ltd. RED TEAM reported this vulnerability to the developer and JPCERT/CC and directly coordinated with the developer. JPCERT/CC published this advisory as the developer agreed with the publication on JVN.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2017-10862
JVN iPedia