Skip to content

Commit

Permalink
CVE-2022-25898 Security fix in JWS and JWT validation
Browse files Browse the repository at this point in the history
  • Loading branch information
kjur committed Jun 23, 2022
1 parent 3edc007 commit 4536a6e
Show file tree
Hide file tree
Showing 22 changed files with 1,425 additions and 1,281 deletions.
13 changes: 13 additions & 0 deletions ChangeLog.txt
Original file line number Diff line number Diff line change
@@ -1,6 +1,19 @@

ChangeLog for jsrsasign

CVE-2022-25898 Security fix in JWS and JWT validation
* Changes from 10.5.24 to 10.5.25 (2022-Jun-23)
- src/jws.js
- JWS.verify and JWS.verifyJWT
- CVE-2022-25898 SECURITY FIX:
verify and verifyJWT may accept signature with special characters
or \number characters by mistake.
Please see security advisory:
https://github.com/kjur/jsrsasign/security/advisories/GHSA-3fvg-4v2m-98jf
- src/base64x.js
- function isBase64URLDot added
- test/qunit-do-jwt-veri.html

X509.getParam bugfix for v1 certificate
* Changes from 10.5.23 to 10.5.24 (2022-Jun-04)
- src/x509.js
Expand Down
3 changes: 2 additions & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,7 @@ HIGHLIGHTS
- no dependency to other library
- no dependency to [W3C Web Cryptography API](https://www.w3.org/TR/WebCryptoAPI/) nor [OpenSSL](https://www.openssl.org/)
- no dependency on newer ECMAScirpt function. So old browsers also supported.
- very popular crypto library with [0.6M+ npm downloads/month](https://npm-stat.com/charts.html?package=jsrsasign&from=2016-05-01&to=2022-06-01)
- very popular crypto library with [0.6M+ npm downloads/month](https://npm-stat.com/charts.html?package=jsrsasign&from=2016-05-01&to=2022-06-20)

INSTALL
-------
Expand Down Expand Up @@ -78,6 +78,7 @@ MORE TUTORIALS AND SAMPLES

|published|fixed version|title/advisory|CVE|CVSS|
|:---|:---|:---|:---|:---|
|2022Jun24|10.5.25|[JWS and JWT signature validation vulnerability with special characters](https://github.com/kjur/jsrsasign/security/advisories/GHSA-3fvg-4v2m-98jf)|CVE-2022-25898|?|
|2021Apr14|10.2.0|[RSA signature validation vulnerability on maleable encoded message](https://github.com/kjur/jsrsasign/security/advisories/GHSA-27fj-mc8w-j9wg)|CVE-2021-30246|9.1|
|2020Jun22|8.0.19|[ECDSA signature validation vulnerability by accepting wrong ASN.1 encoding](https://github.com/kjur/jsrsasign/security/advisories/GHSA-p8c3-7rj8-q963)|CVE-2020-14966|5.5|
|2020Jun22|8.0.18|[RSA RSAES-PKCS1-v1_5 and RSA-OAEP decryption vulnerability with prepending zeros](https://github.com/kjur/jsrsasign/security/advisories/GHSA-xxxq-chmp-67g4)|CVE-2020-14967|4.8|
Expand Down
4 changes: 2 additions & 2 deletions api/files.html
Original file line number Diff line number Diff line change
Expand Up @@ -681,7 +681,7 @@ <h2><a href="symbols/src/base64x-1.1.js.html">base64x-1.1.js</a></h2>


<dt class="heading">Version:</dt>
<dd>jsrsasign 10.5.23 base64x 1.1.29 (2022-May-27)</dd>
<dd>jsrsasign 10.5.25 base64x 1.1.30 (2022-Jun-23)</dd>



Expand Down Expand Up @@ -776,7 +776,7 @@ <h2><a href="symbols/src/jws-3.3.js.html">jws-3.3.js</a></h2>


<dt class="heading">Version:</dt>
<dd>jsrsasign 8.0.3 jws 3.3.11 (2018-Mar-11)</dd>
<dd>jsrsasign 10.5.25 jws 3.3.12 (2022-Jun-23)</dd>



Expand Down
70 changes: 70 additions & 0 deletions api/symbols/global__.html
Original file line number Diff line number Diff line change
Expand Up @@ -879,6 +879,16 @@ <h1 class="classTitle">
</td>
</tr>

<tr>
<td class="attributes">&lt;static&gt; &nbsp;</td>
<td class="nameDescription">
<div class="fixedFont"><b><a href="../symbols/global__.html#.isBase64URLDot">isBase64URLDot</a></b>(s)
</div>
<div class="description">check whether a string is a base64url encoded string and dot or not<br/>
Input string can conclude new lines or space characters.</div>
</td>
</tr>

<tr>
<td class="attributes">&lt;static&gt; &nbsp;</td>
<td class="nameDescription">
Expand Down Expand Up @@ -3184,6 +3194,66 @@ <h1 class="classTitle">



<hr />

<a name=".isBase64URLDot"> </a>
<div class="fixedFont">&lt;static&gt;

<span class="light">{Boolean}</span>
<b>isBase64URLDot</b>(s)

</div>
<div class="description">
check whether a string is a base64url encoded string and dot or not<br/>
Input string can conclude new lines or space characters.

<br />
<i>Defined in: </i> <a href="../symbols/src/base64x-1.1.js.html">base64x-1.1.js</a>.


</div>



<pre class="code">isBase64URLDot("YWE") &rarr; true
isBase64URLDot("YWE.YWE.YWE") &rarr; true
isBase64URLDot("YW-") &rarr; true
isBase64URLDot("YW+") &rarr; false</pre>




<dl class="detailList">
<dt class="heading">Parameters:</dt>

<dt>
<span class="light fixedFont">{String}</span> <b>s</b>

</dt>
<dd>input string</dd>

</dl>



<dl class="detailList">
<dt class="heading">Since:</dt>
<dd>base64x 1.1.30 jsrsasign 10.5.25</dd>
</dl>
</dl>



<dl class="detailList">
<dt class="heading">Returns:</dt>

<dd><span class="light fixedFont">{Boolean}</span> true if a string "s" is a base64url encoded string and dot otherwise false</dd>

</dl>




<hr />

<a name=".ishex"> </a>
Expand Down
Loading

0 comments on commit 4536a6e

Please sign in to comment.