search cancel

Is SiteMinder vulnerable to the recently identified JSON Web Token vulnerability CVE-2022-23529 ?

book

Article ID: 257797

calendar_today

Updated On:

Products

SITEMINDER

Issue/Introduction

For versions <=8.5.1 of jsonwebtoken library, if a malicious actor has the ability to modify the key retrieval parameter (referring to the secretOrPublicKey argument from the readme link) of the jwt.verify() function, they can gain remote code execution (RCE).

Environment

ANY

Resolution

SiteMinder does not use the JsonWebToken java script library, therefore it is not affected.