You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently it's possible to enumerate client JWT secret IDs by providing an invalid JWT with a key ID. If the key ID exists, then the error will be one about the secret being invalid, whereas if it doesn't exist, it will be an error about no matching key being found:
Currently it's possible to enumerate client JWT secret IDs by providing an invalid JWT with a key ID. If the key ID exists, then the error will be one about the secret being invalid, whereas if it doesn't exist, it will be an error about no matching key being found:
eleel/src/jwt.rs
Lines 71 to 72 in f164b02
To prevent client enumeration we should ensure the error is the same in these two cases.
Thanks @chong-he for testing and finding this.
The text was updated successfully, but these errors were encountered: