Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Authentication Bypass in lua-resty-jwt #9809

Closed
nemmerich opened this issue Jul 10, 2023 · 3 comments · Fixed by #9837
Closed

Authentication Bypass in lua-resty-jwt #9809

nemmerich opened this issue Jul 10, 2023 · 3 comments · Fixed by #9837
Assignees
@shreemaan-abhishek

Comments

@nemmerich
Copy link

Description

The lua-resty-jwt and api7-lua-resty-jwt dependencies contain an authentication bypass with makes the jwt-auth plugin also vulnerable. As the vulnerability was not fixed for over a year in the lua-resty-jwt library details were made public through cdbattags/lua-resty-jwt#62.

This issue is intended to make the authors of the jwt-auth plugin aware of this vulnerability.

Environment

  • APISIX version (run apisix version):
  • Operating system (run uname -a):
  • OpenResty / Nginx version (run openresty -V or nginx -V):
  • etcd version, if relevant (run curl http://127.0.0.1:9090/v1/server_info):
  • APISIX Dashboard version, if relevant:
  • Plugin runner version, for issues related to plugin runners:
  • LuaRocks version, for installation issues (run luarocks --version):
@shreemaan-abhishek
Copy link
Contributor

Raised a PR: api7/lua-resty-jwt#5, will close this issue once it gets merged. Thanks.

@moonming moonming moved this to 🏗 In progress in Apache APISIX backlog Jul 11, 2023
@monkeyDluffy6017
Copy link
Contributor

Thanks for your reporting @nemmerich

@Sn0rt
Copy link
Contributor

Sn0rt commented Jul 13, 2023

I will take a look

@Sn0rt Sn0rt mentioned this issue Jul 14, 2023
Merged
5 tasks
@github-project-automation github-project-automation bot moved this from 🏗 In progress to ✅ Done in Apache APISIX backlog Jul 17, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@shreemaan-abhishek shreemaan-abhishek

Labels
None yet
Projects
Apache APISIX backlog
Archived in project
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: upgrade api7-lua-resty-jwt to 0.2.5
4 participants
@Sn0rt @monkeyDluffy6017 @nemmerich @shreemaan-abhishek