GHSA-675f-rq2r-jw82

Описание

Impact

The project's provided HTTP client's local JWK Set cache should do a full replacement when the goroutine refreshes the remote JWK Set. The current behavior is to overwrite or append. This is a security issue for use cases that utilize the provided auto-caching HTTP client and where key removal from a JWK Set is equivalent to revocation.

Example attack scenario:

1. An attacker has stolen the private key for a key published in JWK Set.
2. The publishers of that JWK Set remove that key from the JWK Set.
3. Enough time has passed that the program using the auto-caching HTTP client found in github.com/MicahParks/jwkset v0.5.0-v0.5.21 has elapsed its HTTPClientStorageOptions.RefreshInterval duration, causing a refresh of the remote JWK Set.
4. The attacker is signing content (such as JWTs) with the stolen private key and the system has no other forms of revocation.

Patches

The affected auto-caching HTTP client was added in version v0.5.0 and fixed in v0.6.0. Upgrade to v0.6.0 or later.

Workarounds

The only workaround would be to remove the provided auto-caching HTTP client and replace it with a custom implementation. This involves setting the HTTPClientStorageOptions.RefreshInterval to zero (or not specifying the value). Upgrade to v0.6.0 is advised.

References

Please see the tracking issue on GitHub for additional details: https://github.com/MicahParks/jwkset/issues/40