Vulnerability with jsonwebtoken

Question

Vulnerability with jsonwebtoken

cawoodm opened this issue 2 years ago · comments

Marc commented 2 years ago

Software versions

Tedious:
SQL Server:
Node.js:

Additional Libraries Used and Versions

"mssql": "9.0.1"
- "tedious": "^15.0.1" (15.1.2)
  - "@azure/identity": "^2.0.4"
    - "@azure/msal-node": "^1.10.0"
      - "jsonwebtoken": "^8.5.1" !!!

Problem description
There is a vulnerability with jsonwebtoken which affects the latest version of tedious.

Expected behavior
An update to tedious to remove/upgrade the vulnerable library.

Actual behavior
NPM Audit detects vulnerabilities.

Error message/stack trace

$ npm audit --registry=https://registry.npmjs.org/ 

# npm audit report

jsonwebtoken  <=8.5.1
Severity: high
jsonwebtoken unrestricted key type could lead to legacy keys usage  - https://github.com/advisories/GHSA-8cf7-32gw-wr33
jsonwebtoken has insecure input validation in jwt.verify function - https://github.com/advisories/GHSA-27h2-hvpr-p74q
jsonwebtoken's insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC - https://github.com/advisories/GHSA-hjrf-2m68-5959
jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify() - https://github.com/advisories/GHSA-qwph-4952-7xr6
fix available via `npm audit fix --force`
Will install mssql@7.2.0, which is a breaking change
node_modules/jsonwebtoken
  @azure/msal-node  *
  Depends on vulnerable versions of jsonwebtoken
  node_modules/@azure/msal-node
    @azure/identity  >=1.2.0-alpha.20200903.1
    Depends on vulnerable versions of @azure/msal-node
    node_modules/@azure/identity
      tedious  >=11.0.9
      Depends on vulnerable versions of @azure/identity
      node_modules/tedious
        mssql  >=7.2.1
        Depends on vulnerable versions of tedious
        node_modules/mssql

5 vulnerabilities (4 moderate, 1 high)

To address all issues (including breaking changes), run:
  npm audit fix --force

Any other details that can be helpful

Paul Solecki · Answer 1 · Tue Jan 03 2023 19:33:45 GMT+0800 (China Standard Time)

Would it need reporting through https://www.npmjs.com/package/@azure/msal-node#security-reporting as I'm not sure tedious itself is the issue?

Daniel Hensby · Answer 2 · Tue Jan 03 2023 19:42:38 GMT+0800 (China Standard Time)

Security reporting is for undisclosed issues. You can see from their current development build that they have already upgraded the version of jsonwebtoken.

PS: see tediousjs/node-mssql#1451 (comment) for reasoning on why this is a non-exploitable vulnerability.

Marc · Answer 3 · Tue Jan 03 2023 21:06:32 GMT+0800 (China Standard Time)

Could you clarify how we are to resolve this? I'm not sure who "their" is referring to...

AFAIK we are using the current release of tedious v5.1.2 and the vulnerability, though perhaps inacessible, is blocking our CI checks.

Daniel Hensby · Answer 4 · Tue Jan 03 2023 21:55:44 GMT+0800 (China Standard Time)

"their" refers to the @azure/msal-node library - see AzureAD/microsoft-authentication-library-for-js#5473 for their WIP release for Jan.

As it's a patch release, it should automatically get installed and resolve the alerts once it is published.

Raymond Zhao · Answer 5 · Thu Jan 12 2023 06:16:04 GMT+0800 (China Standard Time)

@azure/msal-node 1.14.6 is available now, which should fix these issues.
Azure/azure-sdk-for-js#24403 (comment)

Michael Sun · Answer 6 · Tue Jan 17 2023 04:27:50 GMT+0800 (China Standard Time)

Hi @cawoodm , we have merged the fix #1511 which include the msal-node side fix for this. Please try it after the next release or you can get the latest repo, and see if the changes works for you.

Michael Sun · Answer 7 · Wed Jan 25 2023 02:07:12 GMT+0800 (China Standard Time)

Hi @cawoodm , just double check. Have you got a chance to try out the latest master branch with the code change from #1511 ? I will close this one for now. If you have any additional problem, we can reopen this one.