Distribution Registry Token Authentication Vulnerability Allowing JWK Injection in JWTs

A vulnerability exists in the Distribution registry, specifically in versions 3.0.0-beta.1 prior to 3.0.0-rc.2, when token authentication is enabled. The issue arises from the JSON Web Key (JWK) verification process, which allows an attacker to inject an untrusted signing key into a JSON Web Token (JWT). The vulnerability occurs because the verification code only checks if the Key ID (kid) matches a trusted key, without validating the actual key material. This flaw can be exploited by creating a JWT with a JWK header that includes a public key, bypassing the intended security measures.

Impact

Exploitation of this vulnerability allows for the injection of untrusted signing keys into JWTs, potentially leading to unauthorized actions or access within the application.

Reproduction

To reproduce this vulnerability, first generate a key pair and create a JWT. Include the public key in the JWK header and set the Key ID to match one of the trusted keys. Sign the JWT with the private key and then the registry will accept the JWT, verifying the signature with the injected public key, due to the flawed verification process.

Remediation

Users should update to Distribution registry version 3.0.0-rc.3 or later. If the system requires token authentication, there is no workaround available without applying the patch.