Private Json Web Key Set Disclosure
Summary#
Invicti identified a Private Json Web Key Set Disclosure.
Impact#
Disclosed JSON Web Key Set (JWKS) vulnerability introduces severe risks to the affected system. Potential unauthorized access and impersonation of users due to private key exposure can compromise data integrity, damage the systems reputation, and lead to regulatory non-compliance. Even with only public key exposure, algorithm and key confusion attacks pose additional threats to authentication and authorization mechanisms.
Remediation#
When making your JWK Set public, ensure that private key components are excluded. If the JWK Set only contains public key components, its exposure does not pose a security threat on its own. In fact, utilizing a JWK Set appropriately can be considered a best practice for non-security-related reasons.
Classifications#