Bronnen

https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-27h2-hvpr-p74q
https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-8cf7-32gw-wr33
https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-qwph-4952-7xr6
https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-hjrf-2m68-5959
https://nvd.nist.gov/vuln/detail/CVE-2022-23529
https://nvd.nist.gov/vuln/detail/CVE-2022-23539
https://nvd.nist.gov/vuln/detail/CVE-2022-23540
https://nvd.nist.gov/vuln/detail/CVE-2022-23541

Risico’s

jsonwebtoken is an implementation of Json Web Tokens for node.js. A Json Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties.

JWT's are one of the most used authentication standards in web applications. A lot of packages are using jsonwebtoken as a dependency. More than 22 000 npm packages are using jsonwebtoken as a dependency.

Exploiting a vulnerability in the jsonwebtoken package can impact systems running a package that uses jsonwebtoken.

Verifying which packages are using jsonwebtoken is essential to verify if you are vulnerable for the vulnerabilities mentioned below or not.

Aanbevolen acties

•    Upgrade the jsonwebtoken package to version 9.0.0

• Read the Migration Notes: v8 to v9 to ensure all functions are still working after upgrading to v9

•    Update all packages that are using jsonwebtoken as a dependency to their latest version and ensure that all of these packages are using jsonwebtoken >=v9.0.0

Referenties

https://www.npmjs.com/package/jsonwebtoken
https://self-issued.info/docs/draft-ietf-oauth-json-web-token.html
https://github.com/auth0/node-jsonwebtoken/wiki/Migration-Notes:-v8-to-v9