Mike, Yaron, and myself received an email reporting a number of vulnerabilities in JWT libraries (see below), and a number of suggested mitigations Yaron has filed in his repo as issues:
https://github.com/yaronf/draft-sheffer-oauth-rfc8725bis/issues This has prompted us to start a new draft for a revised JWT BCP. Yaron has published an ID that is the current state of RFC8725 https://datatracker.ietf.org/doc/draft-sheffer-oauth-rfc8725bis/ that we would like to propose be adopted by the WG. We would discuss the mitigations listed and add to the document as agreed upon, and will solicit any additional best current practices that have been developed since the publication of 8725. /Dick Reference: [1]: https://nvd.nist.gov/vuln/detail/cve-2024-5037 [2]: https://github.com/kubernetes/kubernetes/pull/123540 Language Library Vulnerability Type CVE Number Python python-jose Compression Dos CVE-2024-29370 jwcrypto Billion Hashes Attack CVE-2023-6681 Compression Dos CVE-2024-28102 C latchset/jose Billion Hashes Attack CVE-2023-50967 Java jjwt Billion Hashes Attack CVE-2024-39960 jose4j Billion Hashes Attack CVE-2023-51775 Compression DoS CVE-2024-29371 nimbus-jose-jwt Billion Hashes Attack CVE-2023-52428 C# jose-jwt Sign/Encrypt Confusion CVE-2024-24238 Compression DoS CVE-2024-27663 JavaScript jose Compression DoS CVE-2024-28176 node-jose Billion Hashes Attack CVE-2024-39960 Go jose2go Billion Hashes Attack CVE-2023-50658 Compression DoS CVE-2024-28122 go-jose Compression DoS CVE-2024-28180 jwx Billion Hashes Attack CVE-2023-49290 Compression DoS CVE-2024-28122 Ruby json-jwt Sign/Encrypt Confusion CVE-2023-51774
_______________________________________________ OAuth mailing list -- oauth@ietf.org To unsubscribe send an email to oauth-le...@ietf.org