CVE-2024-33531
📋 TL;DR
This vulnerability in lua-resty-jwt 0.2.3 allows attackers to bypass JWT signature verification by crafting a JWT with an 'enc' header set to 'A256GCM'. This enables authentication bypass in applications using this library for JWT validation. Any system using the vulnerable version of lua-resty-jwt for JWT-based authentication is affected.
💻 Affected Systems
- lua-resty-jwt
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete authentication bypass allowing unauthorized access to protected resources, potentially leading to data theft, privilege escalation, or system compromise.
Likely Case
Authentication bypass enabling unauthorized access to application endpoints that rely on JWT validation for authorization.
If Mitigated
Limited impact if additional authentication layers or strict input validation are implemented alongside JWT validation.
🎯 Exploit Status
Exploitation requires crafting a JWT with specific header values. Public proof-of-concept exists in the GitHub issue and security advisory.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fixed in commit d1558e2afefe868fea1e7e9a4b04ea94ab678a85
Vendor Advisory: https://github.com/cdbattags/lua-resty-jwt/commit/d1558e2afefe868fea1e7e9a4b04ea94ab678a85
Restart Required: Yes
Instructions:
1. Update lua-resty-jwt to the latest version or specifically apply commit d1558e2afefe868fea1e7e9a4b04ea94ab678a85. 2. Restart OpenResty/nginx service. 3. Regenerate all JWTs in use.
🔧 Temporary Workarounds
Input validation filter
allAdd custom validation to reject JWTs with 'enc' header set to 'A256GCM' before processing.
-- Custom Lua validation code required, no single command
🧯 If You Can't Patch
- Implement additional authentication layers (e.g., IP whitelisting, multi-factor authentication) for critical endpoints.
- Monitor logs for authentication attempts with JWTs containing 'enc: A256GCM' header and block offending IPs.
🔍 How to Verify
Check if Vulnerable:
Check if your application uses lua-resty-jwt version 0.2.3. Test by attempting to authenticate with a crafted JWT containing 'enc: A256GCM' header.Check Version:
Check the lua-resty-jwt source code or package manager for version 0.2.3Verify Fix Applied:
After updating, test authentication with the same crafted JWT - it should be rejected. Verify the library version is updated.📡 Detection & Monitoring
Log Indicators:
- Authentication attempts with JWT containing 'enc: A256GCM' header
- Successful authentication from unexpected sources
Network Indicators:
- HTTP requests with JWT tokens containing unusual header values
SIEM Query:
search 'jwt' AND ('enc: A256GCM' OR 'authentication bypass') in application logs🔗 References
- https://github.com/cdbattags/lua-resty-jwt/commit/d1558e2afefe868fea1e7e9a4b04ea94ab678a85
- https://github.com/cdbattags/lua-resty-jwt/issues/61
- https://insinuator.net/2023/10/lua-resty-jwt-authentication-bypass/
- https://github.com/cdbattags/lua-resty-jwt/commit/d1558e2afefe868fea1e7e9a4b04ea94ab678a85
- https://github.com/cdbattags/lua-resty-jwt/issues/61
- https://insinuator.net/2023/10/lua-resty-jwt-authentication-bypass/
