Contrib.social

Possible security vulnerability: Increase firebase/php-jwt > 6.0

Open on Drupal.org β†’
Created on 22 February 2023, almost 2 years ago
Updated 24 March 2023, over 1 year ago

Problem/Motivation

Security advisory:
composer audit
Found 1 security vulnerability advisory affecting 1 package:
+-------------------+----------------------------------------------------------------------------------+
| Package | firebase/php-jwt |
| CVE | CVE-2021-46743 |
| Title | Key/algorithm type confusion |
| URL | https://github.com/advisories/GHSA-8xf4-w7qw-pjjw |
| Affected versions | <6.0.0 |
| Reported at | 2022-03-30T00:00:00+00:00

where is jwt called:
html/modules/contrib/salesforce/modules/salesforce_jwt/composer.json: "firebase/php-jwt": "^5.0",
html/modules/contrib/salesforce/composer.json: "firebase/php-jwt": "^5.0",
html/modules/contrib/salesforce/composer.json: "firebase/php-jwt": "Required for salesforce_jwt, recommended auth provider.",

Steps to reproduce

composer audit

Proposed resolution

Update to a version of firebase/php-jwt > 6.0 or give explanation like http://drupal.org/project/jwt

Remaining tasks

User interface changes

API changes

Data model changes

πŸ› Bug report
Status

Closed: works as designed

Version

5.0

Component

salesforce.module

Created by

πŸ‡ΊπŸ‡ΈUnited States SocialNicheGuru

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @SocialNicheGuru
  • Comment over 1 year ago β†’
    System Message
  • Status changed to Closed: works as designed over 1 year ago
  • Comment over 1 year ago β†’
    πŸ‡ΊπŸ‡ΈUnited States AaronBauman Philadelphia

    Thank you for the report.
    I discussed this with the security team, including pwolanin who confronted the same issue for https://www.drupal.org/project/jwt β†’

    tl;dr: the CVE for PHP-JWT does not affect Salesforce Suite

    The vulnerability depends on using a keychain (multiple keys in an array or \ArrayAccess interface object) as the 2nd argument passed into JWT::decode(), and on having multiple algorithms passed in the array as the 3rd argument. In addition the keychain must have a mix of algorithm types such as both RS256 and HS256.

    salesforce_jwt only calls JWT::encode($token, $key, 'RS256') and never JWT::decode() so it cannot possibly be vulnerable to the key confusion issue.

    See more info on the https://www.drupal.org/project/jwt β†’ project page.

    Also, in the future, please follow security issue reporting protocol β†’ to report any potential security vulnerabilities.

  • Comment over 1 year ago β†’
    πŸ‡ΊπŸ‡ΈUnited States bkosborne New Jersey, USA

    Note that version 5.x of firebase/jwt no longer seems supported, since the security vulnerability was addressed only in the 6.x branch of that project. However, it seems there's nothing preventing users of this module from updating to the 6.x branch. It's true that the composer.json file in the salesforce_jwt submodule lists 5.x as required, composer doesn't look at the composer.json files of submodules when resolving dependency requirements.

    I think the Salesforce module should update to test and declare support of the 6.x branch of firebase/jwt, but from what I can tell that package's API is limited to one method call to encode a JWT. There don't appear to be any breaking changes from the 5.x > 6.x branch that would impact the way this module uses that API call.

  • Comment over 1 year ago β†’
    πŸ‡ΊπŸ‡ΈUnited States inversed

    Also, in case anyone did not realize, now that the roave/security-advisories package is aware of this, it blocks a composer update if the installed firebase/php-jwt package is 5.x.

    I didn't have any problems manually requiring firebase/php-jwt:6.0 and it looks like the salesforce:5.0.x-dev version has an updated composer.json to support 5.0 or 6.0 so I figure this issue will get resolved eventually.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024