RubySec

Providing security resources for the Ruby community

CVE-2018-1000539 (json-jwt): Auth tag forgery vulnerability with AES-GCM encrypted JWT

ADVISORIES

GEM

json-jwt

SEVERITY

CVSS v3: 5.3

UNAFFECTED VERSIONS

  • < 0.5.1

PATCHED VERSIONS

  • >= 1.9.4

DESCRIPTION

Ruby’s OpenSSL bindings do not check the length of the supplied authentication tag when decrypting an authenticated encryption mode such as AES-GCM, leaving this up to the authors of a gem/app to implement for properly validating the message.

json-jwt was not checking for the authentication tag length, meaning that with a one byte tag the JWT would be considered not tampered with. This means that with an average of 128 (max 256) attempts an attacker can forge a valid signature.