Jervis Library JWT Algorithm Confusion Vulnerability

A vulnerability in the Jervis library for Job DSL plugin scripts and shared Jenkins pipeline libraries, prior to version 2.2, allows for JWT (JSON Web Token) header manipulation. The library's JWT verification process does not ensure that the header specifies the RS256 algorithm, potentially leading to JWT forgery. This issue is particularly relevant for external users interfacing with GitHub, as it could allow for unauthorized actions or access by tampering with JWTs.

Impact

This vulnerability could enable JWT forgery, allowing attackers to create malicious tokens that could be accepted as valid by the system, potentially leading to unauthorized access or actions, especially in contexts where JWTs are used for authentication or authorization.

Reproduction

The vulnerability can be reproduced by using a Jervis version prior to 2.2 and creating a JWT with a header that specifies an algorithm other than RS256, such as HS256 or none. This token can then be processed by the Jervis library, which will incorrectly validate it as legitimate.

Remediation

Upgrade to Jervis version 2.2 or later, which includes the necessary validation to ensure the JWT header specifies the RS256 algorithm.