Signature Bypass in several JSON Web Token Libraries (CVEs Needed?)

["Jeremy Spilman" <jeremy () taplink co>]

Tim McLean discovered two serious (related) vulnerabilities common to  
several widely used JSON Web Token (JSW) libraries which he wrote about  
here [1] a month ago, and again today here [2].

A JWT is base64 encoded header, payload, and signature, where the header  
specifies the signature algorithm and an expiration timestamp.

The validation libraries running server side provide APIs such as;

  verify(string token, string secretKey)

The two critical bugs;

- Even when a secretKey was provided to the API, if the data in 'token'  
decoded to a header specifying a signature algorithm of *none*, the API  
would still return success. Meaning an attacker could just strip the  
signature, change the header, and bypass the signature validation  
server-side.

- If the secretKey was expected to be a RSA public key, but the attacker  
changed the header to indicate a signature algorithm of HMAC, the RSA  
public key would be used as the signing secret.

Effected libraries include but probably not limited to:

namshi-jose:  
https://github.com/namshi/jose/commit/127b4415e66d89b1fcfb5a07933db0b5ff5cd636
python-jwt:  
https://github.com/davedoesdev/python-jwt/commit/5ddb71b2ed5785c329b761e45a246996a1dd9cab
node-jsonwebtoken:  
https://github.com/auth0/node-jsonwebtoken/commit/1bb584bc382295eeb7ee8c4452a673a77a68b687
pyjwt:  
https://github.com/jpadilla/pyjwt/commit/88a9fc56bdc6c870aa6af93bda401414a217db2a
php-jwt: Not yet patched?
jsjwt: Not yet patched?

I think these are all (possibly independently) CVE worthy... I requested  
Tim file CVEs here [3], but I haven't seen any to-date. I'm not sure about  
requesting CVEs on someone else's work, I'm just an interested bystander  
here.


[1] - https://www.timmclean.net/2015/02/25/jwt-alg-none.html
[2] -  
https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/
[3] - https://news.ycombinator.com/item?id=9111049