Query

Link to pull request with your CodeQL query:

Relevant PR: github/codeql#6021

CVE ID(s)

List the CVE ID(s) associated with this vulnerability. GitHub will automatically link CVE IDs to the GitHub Advisory Database.

Report

Describe the vulnerability. Provide any information you think will help GitHub assess the impact your query has on the open source community.

JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted through a digital signature. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA.

JWT Best Practices require human-memorizable passwords MUST NOT be directly used as the key to a keyed-MAC algorithm such as “HS256”. RFC 7518 recommends to use a password that is as large as (or larger than) the derived key length in JSON web algorithms. Common JWT signature algorithms are HS256, HS384, and HS512.

Popular JWT libraries offer a method to set signing key with a handy string argument in addition to the method with a byte array argument taking the binary cryptographic key. It is a common mistake that JWT users are confused by the method signature and attempted to use raw password strings as the key argument, which is almost always incorrect for cryptographic hashes and can produce insecure results.

Signature algorithms are vulnerable to brute force attack when a weak key of shorter length is used. This query detect uses of signature algorithms with a weak key of shorter length in two popular JWT frameworks jjwt and jose4j:

• Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc). We would love to have you spread the word about the good work you are doing

Result(s)

Provide at least one useful result found by your query, on some revision of a real project.

• sports-mall-server
• TLOG16RS