Mike, Yaron, and myself received an email reporting a number of
vulnerabilities in JWT libraries (see below), and a number of suggested
mitigations Yaron has filed in his repo as issues:

https://github.com/yaronf/draft-sheffer-oauth-rfc8725bis/issues


This has prompted us to start a new draft for a revised JWT BCP.

Yaron has published an ID that is the current state of RFC8725

https://datatracker.ietf.org/doc/draft-sheffer-oauth-rfc8725bis/


that we would like to propose be adopted by the WG. We would discuss the
mitigations listed and add to the document as agreed upon, and will solicit
any additional best current practices that have been developed since the
publication of 8725.

/Dick

Reference:
[1]: https://nvd.nist.gov/vuln/detail/cve-2024-5037
[2]: https://github.com/kubernetes/kubernetes/pull/123540

Language
Library
Vulnerability Type
CVE Number
Python
python-jose
Compression Dos
CVE-2024-29370
jwcrypto
Billion Hashes Attack
CVE-2023-6681
Compression Dos
CVE-2024-28102
C
latchset/jose
Billion Hashes Attack
CVE-2023-50967
Java
jjwt
Billion Hashes Attack
CVE-2024-39960
jose4j
Billion Hashes Attack
CVE-2023-51775
Compression DoS
CVE-2024-29371
nimbus-jose-jwt
Billion Hashes Attack
CVE-2023-52428
C#
jose-jwt
Sign/Encrypt Confusion
CVE-2024-24238
Compression DoS
CVE-2024-27663
JavaScript
jose
Compression DoS
CVE-2024-28176
node-jose
Billion Hashes Attack
CVE-2024-39960
Go
jose2go
Billion Hashes Attack
CVE-2023-50658
Compression DoS
CVE-2024-28122
go-jose
Compression DoS
CVE-2024-28180
jwx
Billion Hashes Attack
CVE-2023-49290
Compression DoS
CVE-2024-28122
Ruby
json-jwt
Sign/Encrypt Confusion
CVE-2023-51774
_______________________________________________
OAuth mailing list -- oauth@ietf.org
To unsubscribe send an email to oauth-le...@ietf.org

Reply via email to