CVE-2022-29217 - PyJWT Vulnerability: Unintended Signing Algorithm Acceptance

Summary: A security vulnerability (CVE-2022-29217) was discovered in the PyJWT library. It allows an attacker to exploit the unspecified signing algorithms and potentially compromise tokens. The vulnerability has been patched in version 2.4. of the library, and users are encouraged to update their installations.



The PyJWT library is a popular Python implementation of the JSON Web Token (JWT) protocol as specified in RFC 7519. JWT is commonly used for authentication and authorization purposes.

Recently, a new CVE (CVE-2022-29217) has been assigned to a security vulnerability in this library. The issue is related to the handling of signing algorithms in the PyJWT library. By design, JWT allows flexibility in choosing the algorithm that should be used for signing tokens. For example, some applications might use the HMAC-SHA256 algorithm (HS256), while others might use RSA-SHA256 (RS256).

In the PyJWT library, the application developer needs to specify which algorithms are supported by their application. They can either import the default set of supported algorithms, or explicitly list the algorithms they want to enable.

The problem arises when a developer intends to use a specific algorithm such as "HS256" but mistakenly allows the default set of algorithms, potentially including other undesired algorithms. This is achieved with the use of algorithms=jwt.algorithms.get_default_algorithms().

Here's an example of potentially vulnerable code

import jwt

# Intending to only support HS256
secret_key = "mysecretkey"
algorithms = jwt.algorithms.get_default_algorithms()

# An attacker can submit a JWT token using an undesired algorithm
token = "[attacker's JWT token]"

# Unintended algorithm acceptance
payload = jwt.decode(token, secret_key, algorithms=algorithms)

To demonstrate how an attacker could exploit this, the following code snippet illustrates the creation of a malicious JWT token with an undesired signing algorithm:

import jwt

# Using an unintended algorithm, e.g., RS256
secret_key = "attacker's RSA private key"
algorithm = "RS256"

payload = {
    "sub": "malicious_user",
    "admin": True,
}

# Crafting a JWT token with the unintended algorithm
malicious_token = jwt.encode(payload, secret_key, algorithm=algorithm)

To mitigate this issue, developers should make sure they always explicitly specify the allowed signing algorithms when working with PyJWT, rather than just using the default algorithms. Additionally, users should upgrade their installations to PyJWT v2.4., where the security vulnerability has been patched.

Here's an example of a more secure implementation

import jwt

# Only supporting the intended HS256 algorithm
secret_key = "mysecretkey"
algorithm = "HS256"

# Accepting only the desired algorithm when decoding tokens
payload = jwt.decode(token, secret_key, algorithms=[algorithm])

In conclusion, while the impact of CVE-2022-29217 may not be too significant, it highlights the potential risks of using default configurations without fully understanding their implications. Ensure to always explicitly declare which algorithms are supported in your application, and as a best practice, keep your libraries updated to defend against known vulnerabilities.

Timeline

Published on: 05/24/2022 15:15:00 UTC
Last modified on: 06/07/2022 14:40:00 UTC