Security Finding Issue JWT Token

Xtremax · January 21, 2022, 7:08am

Hi,

We want to inquire about the security findings on ServiceStack.Redis.Core version 5.8.0 as shown below:

CVE CVSS 3:5.3
CVE CVSS 2.0:5.0
Sonatype CVSS 3:6.5

afaik, version 5.9.2, has resolved the JWT signature verification issue. However, we still used version 5.8.0 but didn’t utilize the JWT Token. Is it okay if we keep using version 5.8.0? or should we upgrade it to 5.9.2 and above to mitigate the security issue?

Thank You

mythz · January 21, 2022, 7:11am

Upgrading is recommended or at the least include minimum length validation for JWTs:

new JwtAuthProvider(...) {
    ValidateToken = (js,req) => req.GetJwtToken().LastRightPart('.').FromBase64UrlSafe().Length >= 32,
}

But this only affects ServiceStack not ServiceStack.Redis which does not contain the JWT Provider implementation.