Описание
OpenSIPS versions 3.1 before 3.6.4 containing the auth_jwt module (prior to commit 3822d33) contain a SQL injection vulnerability in the jwt_db_authorize() function in modules/auth_jwt/authorize.c when db_mode is enabled and a SQL database backend is used. The function extracts the tag claim from a JWT without prior signature verification and incorporates the unescaped value directly into a SQL query. An attacker can supply a crafted JWT with a malicious tag claim to manipulate the query result and bypass JWT authentication, allowing impersonation of arbitrary identities.
A flaw was found in OpenSIPS. The auth_jwt module, when configured with db_mode and a SQL database backend, contains a SQL injection vulnerability in the jwt_db_authorize() function. This function extracts the tag claim from a JSON Web Token (JWT) without verifying its signature and directly incorporates the unescaped value into a SQL query. A remote attacker can exploit this by supplying a crafted JWT with a malicious tag claim, leading to manipulation of query results, bypass of JWT authentication, and impersonation of arbitrary identities.
Отчет
This is an IMPORTANT flaw in OpenSIPS. The vulnerability exists when the auth_jwt module is enabled, configured with db_mode, and utilizes a SQL database backend for JWT authorization. An attacker can exploit this specific configuration to bypass authentication and impersonate identities by crafting a malicious JWT. Systems are only affected if OpenSIPS is deployed with this particular configuration.
Ссылки на источники
Дополнительная информация
Статус:
EPSS
8.2 High
CVSS3
Связанные уязвимости
OpenSIPS versions 3.1 before 3.6.4 containing the auth_jwt module (prior to commit 3822d33) contain a SQL injection vulnerability in the jwt_db_authorize() function in modules/auth_jwt/authorize.c when db_mode is enabled and a SQL database backend is used. The function extracts the tag claim from a JWT without prior signature verification and incorporates the unescaped value directly into a SQL query. An attacker can supply a crafted JWT with a malicious tag claim to manipulate the query result and bypass JWT authentication, allowing impersonation of arbitrary identities.
OpenSIPS versions 3.1 before 3.6.4 containing the auth_jwt module (prior to commit 3822d33) contain a SQL injection vulnerability in the jwt_db_authorize() function in modules/auth_jwt/authorize.c when db_mode is enabled and a SQL database backend is used. The function extracts the tag claim from a JWT without prior signature verification and incorporates the unescaped value directly into a SQL query. An attacker can supply a crafted JWT with a malicious tag claim to manipulate the query result and bypass JWT authentication, allowing impersonation of arbitrary identities.
EPSS
8.2 High
CVSS3